From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 1 23:17:52 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FF3A16A4CE for ; Sun, 1 Aug 2004 23:17:52 +0000 (GMT) Received: from ns1.itga.com.au (ns1.itga.com.au [202.53.40.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 300AC43D5C for ; Sun, 1 Aug 2004 23:17:51 +0000 (GMT) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns1.itga.com.au (8.12.9/8.12.9) with ESMTP id i71NHmR5092890; Mon, 2 Aug 2004 09:17:48 +1000 (EST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (localhost [127.0.0.1]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id JAA27513; Mon, 2 Aug 2004 09:17:48 +1000 (EST) Message-Id: <200408012317.JAA27513@lightning.itga.com.au> X-Mailer: exmh version 2.4 05/15/2001 with nmh-1.0.4 From: Gregory Bond To: dawnshade In-reply-to: Your message of Fri, 30 Jul 2004 11:41:17 +0400. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 02 Aug 2004 09:17:48 +1000 Sender: gnb@itga.com.au cc: freebsd-ipfw@freebsd.org Subject: Re: strange behaivor ipfw2 counters X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Aug 2004 23:17:52 -0000 h-k@mail.ru said: > > >00001 5900 1623729 count ip from any to any in recv cp1 >00002 130 9768 count ip from any to any out xmit cp1 > >cp1 - external interface, no nat, route real IP adresses. >When i download via http from this router counter 2 increasing, but when >download from client behind this router via ftp counter 2 increasing, but >_very_ small. In rule 2, you are counting bytes back out to the internet. For an FTP download, this will only be the ACK packets - a very tiny amount. Perhaps you meant "out fxp1" instead? > P.S. Sorry for terrible English. Your English is far better than our Russian! From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 2 06:49:45 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AA1316A4CE for ; Mon, 2 Aug 2004 06:49:45 +0000 (GMT) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E1D443D2D for ; Mon, 2 Aug 2004 06:49:44 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id i726nWJC040320 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 2 Aug 2004 09:49:33 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.12.11/8.12.11) id i726nV1q002683; Mon, 2 Aug 2004 09:49:31 +0300 (EEST) (envelope-from ru) Date: Mon, 2 Aug 2004 09:49:31 +0300 From: Ruslan Ermilov To: Pawel Malachowski Message-ID: <20040802064931.GD2404@ip.net.ua> References: <20040730204501.GB18079@shellma.zin.lublin.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jL2BoiuKMElzg3CS" Content-Disposition: inline In-Reply-To: <20040730204501.GB18079@shellma.zin.lublin.pl> User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw(8) man page, space between IP address and dot. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2004 06:49:45 -0000 --jL2BoiuKMElzg3CS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 30, 2004 at 10:45:01PM +0200, Pawel Malachowski wrote: > Hello, >=20 > Are these spaces between IP address and dot (ending sentence) intentional > and correct? > % zgrep -ER '[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\ +\.'= /usr/share/man/cat* > /usr/share/man/cat8/ipfw.8.gz: 1.2.3.0 to 1.2.3.127 . > /usr/share/man/cat8/ipfw.8.gz: 1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2= =2E3.89 . >=20 > In other man pages there is no such space: > % zgrep -ER '[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.' /u= sr/share/man/cat* > /usr/share/man/cat1/tcpdump.1.gz: address 128.32.137.3. The tota= l size of the response was 273 bytes, > /usr/share/man/cat4/bpf.4.gz: 128.3.112.35. > /usr/share/man/cat5/named.conf.5.gz: (`.''), such as 123, 45.67 or = 89.123.45.67. > /usr/share/man/cat5/named.conf.5.gz: 127.0.0.0 with netmask 255.0.0= =2E0. 1.2.3.0/28 is network 1.2.3.0 with > /usr/share/man/cat5/named.conf.5.gz: netmask 255.255.255.240. > /usr/share/man/cat5/named.conf.5.gz: port 1234 of an address on the m= achine in net 1.2 that is not 1.2.3.4. > /usr/share/man/cat5/ipnat.5.gz: This would send alternate connectio= ns to either 203.1.2.3 or 203.1.2.4. > /usr/share/man/cat5/ipnat.5.gz: 203.1.2.4 and then 203.1.2.5 before= going back to 203.1.2.3. In accom- > /usr/share/man/cat8/route.8.gz: 192.168.64/20 is interpreted as -net = 192.168.64 -netmask 255.255.240.0. > /usr/share/man/cat8/natd.8.gz: machine 10.0.0.8. > /usr/share/man/cat8/natd.8.gz: would specify an alias address o= f 158.152.17.1. Options that > /usr/share/man/cat8/ppp.8.gz: only accept an address of 192.244.177.38. > /usr/share/man/cat8/ppp.8.gz: and won't permit the use of any IP addre= ss but 192.244.177.2. When > /usr/share/man/cat8/ppp.8.gz: uses 192.244.177.2. > /usr/share/man/cat8/ppp.8.gz: 192.244.177.255. > /usr/share/man/cat8/ppp.8.gz: 192.244.191.255. >=20 Nope. They are caused by bad mdoc(7) formatting, feel free to fix. Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --jL2BoiuKMElzg3CS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBDeP7qRfpzJluFF4RAh78AJ4ihazmM/YqiJYlJOj/3yNhsV38NACgg2c0 KJkJHiimwuh9mLjXcoIN6Eg= =Dmum -----END PGP SIGNATURE----- --jL2BoiuKMElzg3CS-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 2 06:56:01 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBC6C16A4CE for ; Mon, 2 Aug 2004 06:56:01 +0000 (GMT) Received: from mx2.mail.ru (mx2.mail.ru [194.67.23.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EB7243D4C for ; Mon, 2 Aug 2004 06:56:01 +0000 (GMT) (envelope-from h-k@mail.ru) Received: from [213.247.182.194] (port=3538 helo=213.247.182.194) by mx2.mail.ru with esmtp id 1BrWjn-000Ojj-00; Mon, 02 Aug 2004 10:55:59 +0400 Date: Mon, 2 Aug 2004 10:55:55 +0400 From: dawnshade X-Mailer: The Bat! (v2.00) CD5BF9353B3B7091 X-Priority: 3 (Normal) Message-ID: <139945796863.20040802105555@mail.ru> To: Gregory Bond In-Reply-To: <200408012317.JAA27513@lightning.itga.com.au> References: Your message of Fri, 30 Jul 2004 11:41:17 +0400. <200408012317.JAA27513@lightning.itga.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam: Not detected cc: freebsd-ipfw@freebsd.org Subject: Re[2]: strange behaivor ipfw2 counters X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dawnshade List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2004 06:56:02 -0000 Hello Gregory, Monday, August 2, 2004, 3:17:48 AM, you wrote: GB> h-k@mail.ru said: >> >> >>00001 5900 1623729 count ip from any to any in recv cp1 >>00002 130 9768 count ip from any to any out xmit cp1 >> >>cp1 - external interface, no nat, route real IP adresses. >>When i download via http from this router counter 2 increasing, but when >>download from client behind this router via ftp counter 2 increasing, but >>_very_ small. GB> In rule 2, you are counting bytes back out to the internet. For an FTP GB> download, this will only be the ACK packets - a very tiny amount. GB> Perhaps you GB> meant "out fxp1" instead? _in_ fxp?? Next rules: 00001 3565222 1636826036 count ip from any to any in recv cp1 00002 384898 314601856 count ip from any to any out xmit cp1 00003 473872 352073912 count ip from any to any in via fxp* 00004 3584143 1645055815 count ip from any to any out via fxp* As you see - counters similar (a little diif, cause i have some services on fxp's). All counters launch at the same time. >> P.S. Sorry for terrible English. GB> Your English is far better than our Russian! :) I think that some bug, when code ipfw2 was MFC'ed to 4.X. ---------- Best regards, dawnshade mailto:h-k@mail.ru From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 2 07:14:21 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C85916A4CE for ; Mon, 2 Aug 2004 07:14:21 +0000 (GMT) Received: from ns1.itga.com.au (ns1.itga.com.au [202.53.40.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id F328B43D6E for ; Mon, 2 Aug 2004 07:14:17 +0000 (GMT) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns1.itga.com.au (8.12.9/8.12.9) with ESMTP id i727EDR5094614; Mon, 2 Aug 2004 17:14:13 +1000 (EST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (localhost [127.0.0.1]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id RAA27624; Mon, 2 Aug 2004 17:14:13 +1000 (EST) Message-Id: <200408020714.RAA27624@lightning.itga.com.au> X-Mailer: exmh version 2.4 05/15/2001 with nmh-1.0.4 From: Gregory Bond To: dawnshade In-reply-to: Your message of Mon, 02 Aug 2004 10:55:55 +0400. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 02 Aug 2004 17:14:13 +1000 Sender: gnb@itga.com.au cc: freebsd-ipfw@freebsd.org Subject: Re: Re[2]: strange behaivor ipfw2 counters X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2004 07:14:21 -0000 > 00001 3565222 1636826036 count ip from any to any in recv cp1 > 00002 384898 314601856 count ip from any to any out xmit cp1 > 00003 473872 352073912 count ip from any to any in via fxp* > 00004 3584143 1645055815 count ip from any to any out via fxp* > I think that some bug, when code ipfw2 was MFC'ed to 4.X. I don't think so, these counters are pretty much what I'd expect to see if a client on fxp0 was FTPing through this machine. Why do you think this is wrong? From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 2 07:26:39 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A22416A4CE for ; Mon, 2 Aug 2004 07:26:39 +0000 (GMT) Received: from mx2.mail.ru (mx2.mail.ru [194.67.23.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C75A43D5F for ; Mon, 2 Aug 2004 07:26:39 +0000 (GMT) (envelope-from h-k@mail.ru) Received: from [213.247.182.194] (port=3925 helo=213.247.182.194) by mx2.mail.ru with esmtp id 1BrXDR-000E4u-00; Mon, 02 Aug 2004 11:26:37 +0400 Date: Mon, 2 Aug 2004 11:26:34 +0400 From: dawnshade X-Mailer: The Bat! (v2.00) CD5BF9353B3B7091 X-Priority: 3 (Normal) Message-ID: <192947635788.20040802112634@mail.ru> To: Gregory Bond In-Reply-To: <200408020714.RAA27624@lightning.itga.com.au> References: Your message of Mon, 02 Aug 2004 10:55:55 +0400. <200408020714.RAA27624@lightning.itga.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam: Not detected cc: freebsd-ipfw@freebsd.org Subject: Re[4]: strange behaivor ipfw2 counters X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dawnshade List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2004 07:26:39 -0000 Hello Gregory, Monday, August 2, 2004, 11:14:13 AM, you wrote: >> 00001 3565222 1636826036 count ip from any to any in recv cp1 >> 00002 384898 314601856 count ip from any to any out xmit cp1 >> 00003 473872 352073912 count ip from any to any in via fxp* >> 00004 3584143 1645055815 count ip from any to any out via fxp* >> I think that some bug, when code ipfw2 was MFC'ed to 4.X. GB> I don't think so, these counters are pretty much what I'd expect to see if a GB> client on fxp0 was FTPing through this machine. GB> Why do you think this is wrong? unfortunately, i can't remember behaivor this counters with ipfw1, but on computer marked "" (running 4.9 with ipfw1) have same counters: 00001 120794245 61279699894 count ip from any to any in recv fxp0 00002 139895587 13633742418 count ip from any to any out xmit fxp0 (fxp0 - external if). And counter 1 show _real_ volume traffic. So, the question: why download traffic showns real numbers, rather upload - not? ---------- Best regards, dawnshade mailto:h-k@mail.ru From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 2 10:17:44 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A98016A4CE for ; Mon, 2 Aug 2004 10:17:44 +0000 (GMT) Received: from mx2.mail.ru (mx2.mail.ru [194.67.23.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E2DB43D2D for ; Mon, 2 Aug 2004 10:17:44 +0000 (GMT) (envelope-from h-k@mail.ru) Received: from [213.247.182.194] (port=2284 helo=213.247.182.194) by mx2.mail.ru with esmtp id 1BrZsm-000F2h-00; Mon, 02 Aug 2004 14:17:28 +0400 Date: Mon, 2 Aug 2004 11:26:34 +0400 From: dawnshade X-Mailer: The Bat! (v2.00) CD5BF9353B3B7091 X-Priority: 3 (Normal) Message-ID: <192947635788.20040802112634@mail.ru> To: Gregory Bond In-Reply-To: <200408020714.RAA27624@lightning.itga.com.au> References: Your message of Mon, 02 Aug 2004 10:55:55 +0400. <200408020714.RAA27624@lightning.itga.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam: Not detected cc: freebsd-ipfw@freebsd.org Subject: Re[4]: strange behaivor ipfw2 counters X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dawnshade List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2004 10:17:44 -0000 Hello Gregory, Monday, August 2, 2004, 11:14:13 AM, you wrote: >> 00001 3565222 1636826036 count ip from any to any in recv cp1 >> 00002 384898 314601856 count ip from any to any out xmit cp1 >> 00003 473872 352073912 count ip from any to any in via fxp* >> 00004 3584143 1645055815 count ip from any to any out via fxp* >> I think that some bug, when code ipfw2 was MFC'ed to 4.X. GB> I don't think so, these counters are pretty much what I'd expect to see if a GB> client on fxp0 was FTPing through this machine. GB> Why do you think this is wrong? unfortunately, i can't remember behaivor this counters with ipfw1, but on computer marked "" (running 4.9 with ipfw1) have same counters: 00001 120794245 61279699894 count ip from any to any in recv fxp0 00002 139895587 13633742418 count ip from any to any out xmit fxp0 (fxp0 - external if). And counter 1 show _real_ volume traffic. So, the question: why download traffic showns real numbers, rather upload - not? ---------- Best regards, dawnshade mailto:h-k@mail.ru From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 2 11:08:31 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22B2916A4CE for ; Mon, 2 Aug 2004 11:08:31 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18E5643D39 for ; Mon, 2 Aug 2004 11:08:31 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i72B8UPH009596 for ; Mon, 2 Aug 2004 11:08:30 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i72B8UkO009590 for ipfw@freebsd.org; Mon, 2 Aug 2004 11:08:30 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 2 Aug 2004 11:08:30 GMT Message-Id: <200408021108.i72B8UkO009590@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2004 11:08:31 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] i386/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work o [2004/03/14] kern/64240 ipfw IPFW tee terminates rule processing 6 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/01/12] kern/61259 ipfw [patch] make "ipfw tee" work as intended o [2004/03/09] kern/63961 ipfw ipfw2 uid matching doesn't work correctly 12 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 2 13:05:39 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E5C316A4CF; Mon, 2 Aug 2004 13:05:39 +0000 (GMT) Received: from netlx014.civ.utwente.nl (netlx014.civ.utwente.nl [130.89.1.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6026643D48; Mon, 2 Aug 2004 13:05:38 +0000 (GMT) (envelope-from r.s.a.vandomburg@student.utwente.nl) Received: from [127.0.0.1] (gog.student.utwente.nl [130.89.165.107]) by netlx014.civ.utwente.nl (8.11.7/HKD) with ESMTP id i72D5EE29810; Mon, 2 Aug 2004 15:05:14 +0200 Message-ID: <410E3C0F.20403@student.utwente.nl> Date: Mon, 02 Aug 2004 15:05:19 +0200 From: Roderick van Domburg Organization: University of Twente User-Agent: Mozilla Thunderbird 0.7.2 (Windows/20040707) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-sparc64@freebsd.org, freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-UTwente-MailScanner-Information: Scanned by MailScanner. Contact helpdesk@ITBE.utwente.nl for more information. X-UTwente-MailScanner: Found to be clean X-MailScanner-From: r.s.a.vandomburg@student.utwente.nl Subject: Does ip6fw work for you on sparc64? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2004 13:05:39 -0000 Hello everybody, Does ip6fw work for any sparc64 owners? It hasn't been working correctly for me for as long as I can remember. Behavior is very erratic: allow ipv6 works, but allow {tcp|udp} doesn't. Such rules do show up in the traffic counter, but really don't allow any traffic passing it at all. I run a sparc64 with a world from 2004-08-02. Here's my firewall configuration: 00100 allow ipv6 from any to any via lo0 00200 deny ipv6 from any to ::1 00300 deny ipv6 from ::1 to any 00400 allow ipv6-icmp from :: to ff02::/16 00500 allow ipv6-icmp from fe80::/10 to fe80::/10 00600 allow ipv6-icmp from fe80::/10 to ff02::/16 00700 allow ipv6 from fe80::/10 to ff02::/16 00800 allow ipv6 from 2001:610:1908:8000::/64 to ff02::/16 00900 allow tcp from any to any established 01000 allow ipv6 from any to any frag 01100 allow tcp from any to 2001:610:1908:8000:a00:20ff:fecf:c01b 25 setup 01200 allow tcp from any to 2001:610:1908:8000:a00:20ff:fecf:c01b 80 setup 01300 allow tcp from 2001:610:1908:8000:a00:20ff:fecf:c01b to any setup 01400 deny tcp from any to any setup 01500 allow udp from any 53 to 2001:610:1908:8000:a00:20ff:fecf:c01b 01600 allow udp from 2001:610:1908:8000:a00:20ff:fecf:c01b to any 53 01700 allow udp from any 123 to 2001:610:1908:8000:a00:20ff:fecf:c01b 01800 allow udp from 2001:610:1908:8000:a00:20ff:fecf:c01b to any 123 01900 allow ipv6-icmp from any to any icmptype 33 02000 allow ipv6-icmp from any to any icmptype 34 65535 deny ipv6 from any to any Any ideas? Regards, Roderick From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 3 05:25:47 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD10E16A4CE for ; Tue, 3 Aug 2004 05:25:47 +0000 (GMT) Received: from mailroute.jasatel.net.id (smtp.jasatel.net.id [202.69.96.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 201CE43D41 for ; Tue, 3 Aug 2004 05:25:45 +0000 (GMT) (envelope-from hsa@Ezekiel.Jasatel.net.id) Received: from localhost (localhost [127.0.0.1]) by mailroute.jasatel.net.id (Postmaster) with ESMTP id 754D784235 for ; Tue, 3 Aug 2004 12:20:25 +0700 (WIT) Received: from mailroute.jasatel.net.id ([127.0.0.1]) by localhost (ns1.jasatel.net.id [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 76042-02 for ; Tue, 3 Aug 2004 12:20:20 +0700 (WIT) Received: from ezekiel (ezekiel.jasatel.net.id [202.69.98.138]) by mailroute.jasatel.net.id (Postmaster) with SMTP id 4D69984234 for ; Tue, 3 Aug 2004 12:20:20 +0700 (WIT) Date: Tue, 3 Aug 2004 12:25:36 +0700 From: Hendry Sarumpaet To: freebsd-ipfw@freebsd.org Message-Id: <20040803122536.00001302@ezekiel> X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.3.0; Win32) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-And-Spam-Scanned: by amavisd-new,Spam Assasin,Bayesian at MailRoute.Jasatel.Net.Id Subject: what does this message mean ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Aug 2004 05:25:47 -0000 Dear All, I have a strange message found at our router. here's the following one: dummynet: heap_init, resize 32 failed dummynet: sorry, cannot allocate queue for new flow dummynet: sorry, cannot allocate queue for new flow dummynet: sorry, cannot allocate queue for new flow ------------------------------- after the messages arise, we didnt even able to add new ipfw rule with new queue. Is the there any tips or suggestion how to solved this kind of problem ? -- cheers hsa From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 5 02:02:56 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9A8416A4CE for ; Thu, 5 Aug 2004 02:02:56 +0000 (GMT) Received: from mx01.bos.ma.towardex.com (mx01.bos.ma.towardex.com [65.124.16.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4EBF43D2D for ; Thu, 5 Aug 2004 02:02:56 +0000 (GMT) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id 6ABDD2F929; Wed, 4 Aug 2004 22:02:56 -0400 (EDT) Date: Wed, 4 Aug 2004 22:02:56 -0400 From: James To: Evgeny Ivanov Message-ID: <20040805020256.GA52484@scylla.towardex.com> References: <40FF6220.9030506@sofia.itdnet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <40FF6220.9030506@sofia.itdnet.net> User-Agent: Mutt/1.4.1i cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW2 tables Again X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Aug 2004 02:02:56 -0000 > > The question is: can I do it for about 200 users, and would that affect > the machine performance. > Because the table will be checked many many times. Can you please advice > me ? The table itself is a patricia trie. Which means the lookup of the nodes within the table (i.e. all the IP's inside table(1)) is always O(32) constant lookup. However, your problem is elsewhere. You have many potentially increasing number of IPFW *RULES.* The ruleset (i.e. rule 00001 to 65535) is processed in a linked list at rate of O(N) linear lookup. The more rules the firewall has to pass the packet around = the slower the performance and more potential for added latency. It was first a linear { x or y } brace blocks to compress the number of vertical rules passed. But the { x or y } blocks are also processed in a linear lookup which doesn't really improve any performance. Then now we have the table lookup to improve the performance for rules compressed into a table rule. Problem with your setup is that your rules aren't exactly compressed. Your setup has the potential for increasing amount of rules which I am afraid are linear lookup based. Consider using skipto's and/or structure your IPFW rules using skipto's so that it becomes more efficient/predictable. It would be good to see a form of 'compiled ACL' for IPFW publicly available (there are couple proprietary commercial modifications i am aware of) some day :-D May be format it little similar to a TCAM table, where firewall matches dest|src prefix + mask based on a bit trie (i.e. patricia trie or multibit), then do hash lookup on values within the matching table (i.e. sourcd port/ dest port)? I am sure there are other and probably more efficient ways to do it too. -J -- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing james@towardex.com Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 6 22:32:03 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B36616A4CF for ; Fri, 6 Aug 2004 22:32:03 +0000 (GMT) Received: from forrie.com (forrie.ne.client2.attbi.com [24.62.207.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D8D743D48 for ; Fri, 6 Aug 2004 22:32:03 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [127.0.0.1] (i-95.forrie.net. [192.168.1.95]) by forrie.com with ESMTP id i76MVt4o076071 for ; Fri, 6 Aug 2004 18:31:56 -0400 (EDT) (envelope-from forrie@forrie.com) Message-ID: <411406D7.2000808@forrie.com> Date: Fri, 06 Aug 2004 18:31:51 -0400 From: Forrest Aldrich User-Agent: Mozilla Thunderbird 0.7+ (Windows/20040730) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-RAVMilter-Version: 8.3.0(snapshot 20010925) (forrie.ne.client2.attbi.com) X-MailScanner-LocalNet: Found to be clean Subject: Blocking SMTP traffic based upon RBL.... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Aug 2004 22:32:03 -0000 There are probably dangerous consequences to doing something like this improperly; however, there is a project out there called PacketBL: http://wiki.duskglow.com/index.php/Packetbl It's for Linux only, unfortunately -- however I like the idea. It interfaces with the packet filtering system and selectively blocks SMTP (port 25, configurable) traffic based upon RBLs etc. I wonder if there is a similar way to accomplish this with FreeBSD/ipfw... From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 6 22:51:32 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1944016A4CE for ; Fri, 6 Aug 2004 22:51:32 +0000 (GMT) Received: from andrea.pop4.net (skidway.pop4.net [216.234.109.11]) by mx1.FreeBSD.org (Postfix) with SMTP id 8509F43D48 for ; Fri, 6 Aug 2004 22:51:31 +0000 (GMT) (envelope-from vev@michvhf.com) Received: (qmail 10363 invoked by uid 1008); 6 Aug 2004 22:51:26 -0000 Received: from vev@michvhf.com by www.pop4.net with qmail-scanner-0.96 (uvscan: v4.1.40/v4156. . Clean. Processed in 0.953216 secs); 06 Aug 2004 22:51:26 -0000 Received: from unknown (HELO paprika.michvhf.com) (67.36.71.182) by 0 with SMTP; 6 Aug 2004 22:51:25 -0000 Received: (qmail 39778 invoked by uid 1001); 6 Aug 2004 22:51:31 -0000 Date: Fri, 6 Aug 2004 18:51:31 -0400 (EDT) From: Vince Vielhaber To: Forrest Aldrich In-Reply-To: <411406D7.2000808@forrie.com> Message-ID: References: <411406D7.2000808@forrie.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-ipfw@freebsd.org Subject: Re: Blocking SMTP traffic based upon RBL.... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Aug 2004 22:51:32 -0000 On Fri, 6 Aug 2004, Forrest Aldrich wrote: > There are probably dangerous consequences to doing something like this > improperly; however, there is a project out there called PacketBL: > > http://wiki.duskglow.com/index.php/Packetbl > > It's for Linux only, unfortunately -- however I like the idea. It > interfaces with the packet filtering system and selectively blocks SMTP > (port 25, configurable) traffic based upon RBLs etc. > > I wonder if there is a similar way to accomplish this with FreeBSD/ipfw... This works with qmail and any (unixish) OS: http://cr.yp.to/ucspi-tcp/rblsmtpd.html It's part of the ucspi-tcp package. I've been using it since sometime around '98 without a problem. Been using qmail even longer, no problem there either. Vince. -- Fast, inexpensive internet service 56k and beyond! http://www.pop4.net/ http://www.meanstreamradio.com http://www.unknown-artists.com Online radio: It's not file sharing, it's just radio. From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 6 22:56:45 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A08C16A4CE for ; Fri, 6 Aug 2004 22:56:45 +0000 (GMT) Received: from forrie.com (forrie.ne.client2.attbi.com [24.62.207.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26FE543D1D for ; Fri, 6 Aug 2004 22:56:45 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [127.0.0.1] (i-95.forrie.net. [192.168.1.95]) by forrie.com with ESMTP id i76MuZHk076773; Fri, 6 Aug 2004 18:56:37 -0400 (EDT) (envelope-from forrie@forrie.com) Message-ID: <41140CA0.7090409@forrie.com> Date: Fri, 06 Aug 2004 18:56:32 -0400 From: Forrest Aldrich User-Agent: Mozilla Thunderbird 0.7+ (Windows/20040730) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Vince Vielhaber References: <411406D7.2000808@forrie.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-RAVMilter-Version: 8.3.0(snapshot 20010925) (forrie.ne.client2.attbi.com) X-MailScanner-LocalNet: Found to be clean cc: freebsd-ipfw@freebsd.org Subject: Re: Blocking SMTP traffic based upon RBL.... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Aug 2004 22:56:45 -0000 Hi Vince, Thanks for the pointer. I use Sendmail-8.13 on my system, Postfix in the future. I'm guessing rblsmtpd will require the adoption of ucspi, which would break some of the configs I work with now. I'll look at it. Thanks. Vince Vielhaber wrote: >On Fri, 6 Aug 2004, Forrest Aldrich wrote: > > > >>There are probably dangerous consequences to doing something like this >>improperly; however, there is a project out there called PacketBL: >> >>http://wiki.duskglow.com/index.php/Packetbl >> >>It's for Linux only, unfortunately -- however I like the idea. It >>interfaces with the packet filtering system and selectively blocks SMTP >>(port 25, configurable) traffic based upon RBLs etc. >> >>I wonder if there is a similar way to accomplish this with FreeBSD/ipfw... >> >> > >This works with qmail and any (unixish) OS: > > http://cr.yp.to/ucspi-tcp/rblsmtpd.html > >It's part of the ucspi-tcp package. I've been using it since sometime >around '98 without a problem. Been using qmail even longer, no problem >there either. > >Vince. > >