From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 22 10:50:35 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04CAC16A4CE for ; Mon, 22 Nov 2004 10:50:35 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4B1E43D4C for ; Mon, 22 Nov 2004 10:50:34 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id iAMAoYR6074499 for ; Mon, 22 Nov 2004 10:50:34 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id iAMAoYqk074497; Mon, 22 Nov 2004 10:50:34 GMT (envelope-from gnats) Date: Mon, 22 Nov 2004 10:50:34 GMT Message-Id: <200411221050.iAMAoYqk074497@freefall.freebsd.org> To: ipfw@FreeBSD.org From: Gleb Smirnoff Subject: Re: kern/73910: [ipfw] serious bug on forwarding of packets after NAT X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Gleb Smirnoff List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Nov 2004 10:50:35 -0000 The following reply was made to PR kern/73910; it has been noted by GNATS. From: Gleb Smirnoff To: ap@gw-1.wetteronline.de Cc: freebsd-gnats-submit@freebsd.org Subject: Re: kern/73910: [ipfw] serious bug on forwarding of packets after NAT Date: Mon, 22 Nov 2004 13:43:46 +0300 Can you show your kernel configuration, pls? -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 22 10:50:40 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F406316A4D3 for ; Mon, 22 Nov 2004 10:50:39 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA53943D54 for ; Mon, 22 Nov 2004 10:50:39 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id iAMAodB7074532 for ; Mon, 22 Nov 2004 10:50:39 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id iAMAodYM074531; Mon, 22 Nov 2004 10:50:39 GMT (envelope-from gnats) Date: Mon, 22 Nov 2004 10:50:39 GMT Message-Id: <200411221050.iAMAodYM074531@freefall.freebsd.org> To: ipfw@FreeBSD.org From: Gleb Smirnoff Subject: Re: kern/73910: [ipfw] serious bug on forwarding of packets after NAT X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Gleb Smirnoff List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Nov 2004 10:50:40 -0000 The following reply was made to PR kern/73910; it has been noted by GNATS. From: Gleb Smirnoff To: freebsd-gnats-submit@freebsd.org Cc: Subject: Re: kern/73910: [ipfw] serious bug on forwarding of packets after NAT Date: Mon, 22 Nov 2004 13:49:05 +0300 Note to audit-trail: email to submitter address bounces. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 22 11:02:34 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABACF16A4CE for ; Mon, 22 Nov 2004 11:02:34 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9FA1C43D39 for ; Mon, 22 Nov 2004 11:02:34 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id iAMB2YrM076419 for ; Mon, 22 Nov 2004 11:02:34 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id iAMB2WsX076413 for ipfw@freebsd.org; Mon, 22 Nov 2004 11:02:32 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 22 Nov 2004 11:02:32 GMT Message-Id: <200411221102.iAMB2WsX076413@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Nov 2004 11:02:34 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported 7 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 22 11:30:37 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C870216A4CE for ; Mon, 22 Nov 2004 11:30:37 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B62C343D49 for ; Mon, 22 Nov 2004 11:30:37 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id iAMBUbYV083403 for ; Mon, 22 Nov 2004 11:30:37 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id iAMBUb3s083402; Mon, 22 Nov 2004 11:30:37 GMT (envelope-from gnats) Date: Mon, 22 Nov 2004 11:30:37 GMT Message-Id: <200411221130.iAMBUb3s083402@freefall.freebsd.org> To: ipfw@FreeBSD.org From: Achim Patzner Subject: Re: kern/73910: [ipfw] serious bug on forwarding of packets after NAT X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Achim Patzner List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Nov 2004 11:30:37 -0000 The following reply was made to PR kern/73910; it has been noted by GNATS. From: Achim Patzner To: FreeBSD-gnats-submit@freebsd.org Cc: Subject: Re: kern/73910: [ipfw] serious bug on forwarding of packets after NAT Date: Mon, 22 Nov 2004 12:22:14 +0100 (I guess someone should adjust his AV engine... My Mac is ROTFLing.) glebius@bestcom.ru>: host relay.bestcom.ru[217.72.144.5] said: 550 5.7.1 Error HD77: Virus Sobig found Reporting-MTA: dns; mx2.freebsd.org Arrival-Date: Mon, 22 Nov 2004 11:15:12 +0000 (GMT) Final-Recipient: rfc822; glebius@bestcom.ru Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; host relay.bestcom.ru[217.72.144.5] said: 550 5.7.1 Error HD77: Virus Sobig found Von: Achim Patzner Datum: 22. November 2004 12:15:00 MEZ An: Gleb Smirnoff Betreff: Re: kern/73910: [ipfw] serious bug on forwarding of packets after NAT > Can you show your kernel configuration, pls? GENERIC + all IPFW-options. Sorry, I can't get at the machine because it is deactivated but I used a 5.3 GENERIC and added options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about dropped packets options IPFIREWALL_FORWARD #enable transparent proxy support options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPDIVERT #divert sockets options IPSTEALTH #support for stealth forwarding options IPSEC #IP security options IPSEC_ESP #IP security (crypto; define w/IPSEC) options DUMMYNET Achim From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 23 06:41:03 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BDCD16A4CE for ; Tue, 23 Nov 2004 06:41:03 +0000 (GMT) Received: from hotmail.com (bay10-f3.bay10.hotmail.com [64.4.37.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0A6D43D2D for ; Tue, 23 Nov 2004 06:41:02 +0000 (GMT) (envelope-from zhangzhengnan@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 22 Nov 2004 22:41:02 -0800 Message-ID: Received: from 133.1.74.180 by by10fd.bay10.hotmail.msn.com with HTTP; Tue, 23 Nov 2004 06:40:37 GMT X-Originating-IP: [133.1.74.180] X-Originating-Email: [zhangzhengnan@hotmail.com] X-Sender: zhangzhengnan@hotmail.com From: "Õýéª ÕÅ" To: freebsd-ipfw@freebsd.org Date: Tue, 23 Nov 2004 06:40:37 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 23 Nov 2004 06:41:02.0316 (UTC) FILETIME=[66484AC0:01C4D127] Subject: ipfw: queue size must be < 1MB X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Nov 2004 06:41:03 -0000 Hello all: I am trying to use IPFW + Dummynet with the follow command: ipfw pipe 100 config bw 500Mbit/s delay 50ms queue 4096Kbytes However, "ipfw: queue size must be < 1MB" appears. Is there a way to let me use DUMMYNet with a large queue size? Thanks in advance for your suggestion. _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 23 09:34:09 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF31816A4CE for ; Tue, 23 Nov 2004 09:34:09 +0000 (GMT) Received: from mx.us.army.mil (mxoutdr1.us.army.mil [143.69.242.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30B3F43D5D for ; Tue, 23 Nov 2004 09:34:09 +0000 (GMT) (envelope-from martes.wigglesworth@us.army.mil) Received: from mta05.int.dr1.us.army.mil (localhost [127.0.0.1]) by mailrouter.us.army.mil (AKO MTA - mta05 ) with ESMTP id <0I7M005N3L7YAB@mta05.int.dr1.us.army.mil> for freebsd-ipfw@freebsd.org; Tue, 23 Nov 2004 09:33:34 +0000 (GMT) Received: from [192.168.3.50] ([83.170.20.46]) by mailrouter.us.army.mil (AKO MTA - mta05 ) with ESMTPA id <0I7M00C2VL7RE6@mta05.int.dr1.us.army.mil> for freebsd-ipfw@freebsd.org; Tue, 23 Nov 2004 09:33:34 +0000 (GMT) Date: Tue, 23 Nov 2004 12:32:36 +0300 From: martes wigglesworth To: ipfw-mailings Message-id: <1101202355.3438.106.camel@Mobile1.276NET> Organization: HHC 276 EN BN MIME-version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Content-type: text/plain Content-transfer-encoding: 7BIT Subject: X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@us.army.mil List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Nov 2004 09:34:10 -0000 Greetings list. I have implimented some of the suggestions from previous posts, with some other things that I have found online. I have noticed that when I used the 256Kbit/s bw as follows, I get dropped packets, in my drp section of pipe show. Is this normal? I noticed that without the designation of queue size, I get no dropped packets. Example: pipe 1 config bw "" queue 10KB queue 1 config pipe 1 mask dst-ip 0xffffffff queue 9KB As I asked, above,"Is this functionality common, within the parameters of the queue/pipe/bw combination, that I have? -- Respectfully, M.G.W. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 GCC-3.3.5/3.3.3(until I replace indigenous gcc) IFORT-for linux(Intell Fortran) gfortran python-2.3 Perl-5.6.1/5.8.5 Java-sdk-1.4.2_5 KDE-3.1.4 From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 23 09:39:56 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8493D16A4CE for ; Tue, 23 Nov 2004 09:39:56 +0000 (GMT) Received: from smtpauth05.mail.atl.earthlink.net (smtpauth05.mail.atl.earthlink.net [209.86.89.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DC3443D5A for ; Tue, 23 Nov 2004 09:39:56 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [83.170.20.46] (helo=[192.168.3.50]) by smtpauth05.mail.atl.earthlink.net with asmtp (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CWX9O-0002SD-5H for freebsd-ipfw@freebsd.org; Tue, 23 Nov 2004 04:39:55 -0500 From: Martes Wigglesworth To: ipfw-mailings Content-Type: text/plain Organization: Wiggtekmicro Corporation Message-Id: <1101202757.3438.117.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Tue, 23 Nov 2004 12:40:12 +0300 Content-Transfer-Encoding: 7bit X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd48000e8b25582b456bfe8da97bce333e18a8438e0f32a48e08350badd9bab72f9c X-Originating-IP: 83.170.20.46 Subject: Dropped packets after changing queue size to recommended sizes... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Nov 2004 09:39:56 -0000 Greetings list. I have implimented some of the suggestions from previous posts, with some other things that I have found online. I have noticed that when I used the 256Kbit/s bw as follows, I get dropped packets, in my drp section of pipe show. Is this normal? I noticed that without the designation of queue size, I get no dropped packets. Example: pipe 1 config bw "" queue 10KB queue 1 config pipe 1 mask dst-ip 0xffffffff queue 9KB As I asked, above,"Is this functionality common, within the parameters of the queue/pipe/bw combination, that I have?" I have also noticed that my ksim application indicates that the KByte bandwidth jumps to 31.5, or 32, which is calculated to 250 or 256. The previously listed bandwidth is less than my 256 setting. The bandwidth stays at 31.0 or less, and only sometimes jumps to 32.0. Any clarification on this is much appreciated. -- Respectfully, M.G.W. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 GCC-3.3.5/3.3.3(until I replace indigenous gcc) IFORT-for linux(Intell Fortran) gfortran python-2.3 Perl-5.6.1/5.8.5 Java-sdk-1.4.2_5 KDE-3.1.4 -- Respectfully, M.G.W. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 GCC-3.3.5/3.3.3(until I replace indigenous gcc) IFORT-for linux(Intell Fortran) gfortran python-2.3 Perl-5.6.1/5.8.5 Java-sdk-1.4.2_5 KDE-3.1.4 From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 23 16:15:25 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1E8716A4CE for ; Tue, 23 Nov 2004 16:15:25 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C5EA43D55 for ; Tue, 23 Nov 2004 16:15:25 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id iANGFZbS032733; Tue, 23 Nov 2004 08:15:35 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id iANGFZ2E032732; Tue, 23 Nov 2004 08:15:35 -0800 Date: Tue, 23 Nov 2004 08:15:35 -0800 From: Brooks Davis To: =?iso-8859-1?B?1f3pqiDVxQ==?= Message-ID: <20041123161535.GB30833@odin.ac.hmc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jho1yZJdad60DJr+" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw: queue size must be < 1MB X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Nov 2004 16:15:25 -0000 --jho1yZJdad60DJr+ Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 23, 2004 at 06:40:37AM +0000, =D5=FD=E9=AA =D5=C5 wrote: > Hello all: >=20 > I am trying to use IPFW + Dummynet with the follow command: >=20 > ipfw pipe 100 config bw 500Mbit/s delay 50ms queue 4096Kbytes >=20 > However, "ipfw: queue size must be < 1MB" appears. > Is there a way to let me use DUMMYNet with a large queue size? Modify sbin/ipfw/ipfw2.c to allow queue sizes larger then 1024*1024 and do the same in the set_fs_parms() function in sys/netinet/ip_dummynet.c. I'm not sure why 1MB was chosen, it seems rather arbitrary. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --jho1yZJdad60DJr+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBo2ImXY6L6fI4GtQRAtEQAJ9ibSmHK0Dvs6LhuumRhpHngUby0gCfRyaE iVbrQxNGZuNO8XtKY0NgHoY= =s23S -----END PGP SIGNATURE----- --jho1yZJdad60DJr+-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 23 20:53:33 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55DEA16A4CE for ; Tue, 23 Nov 2004 20:53:33 +0000 (GMT) Received: from FoxSurfer.Com (dns1.foxsurfer.com [69.90.8.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9277543D39 for ; Tue, 23 Nov 2004 20:53:32 +0000 (GMT) (envelope-from daemon@foxchat.net) Received: from foxdaemon.com (zapper@rrcs-24-172-9-74.midsouth.biz.rr.com [24.172.9.74]) by FoxSurfer.Com (8.12.11/8.12.11) with ESMTP id iANKrSTk034325 for ; Tue, 23 Nov 2004 15:53:28 -0500 (EST) (envelope-from daemon@foxchat.net) From: NetAdmin To: freebsd-ipfw@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-TkQewVPsimVHnvSKhqaf" Date: Tue, 23 Nov 2004 15:53:32 -0500 Message-Id: <1101243212.22644.44.camel@foxdaemon.com> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 FreeBSD GNOME Team Port Subject: IPFW2 tables X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Nov 2004 20:53:33 -0000 --=-TkQewVPsimVHnvSKhqaf Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I just found out about tables. I've been trying to google for correct syntax but as yet have not been able to find anything. Can anyone direct me to a good howto for setting up IPFW tables? Using 5.3 Release. did the following; # ipfw table 1 add 0.0.0.0/8 shows # ipfw table 1 list 0.0.0.0/8 0 Set rule as; *Note: found there was a problem using table (1) {fwcmd} add 300 deny ip from table '1' to me The odd part is, I get this with the 'ipfw show' command # ipfw show 00300 deny ip from 216.65.30.238 1 to me So obviously I'm doing something wrong. Any help would be greatly appreciated. Respectfully, Mark Barthelemy --=-TkQewVPsimVHnvSKhqaf Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBo6NMNirmlL8R/7sRAutlAJwIhuTKMIxhsbQ7T1WJTWfZHkqBgQCgpzMm MEhR6nx2nAmGfO1Mbtxr4L8= =vLZ3 -----END PGP SIGNATURE----- --=-TkQewVPsimVHnvSKhqaf-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 23 21:36:21 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69D6F16A4CF for ; Tue, 23 Nov 2004 21:36:21 +0000 (GMT) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id B390243D31 for ; Tue, 23 Nov 2004 21:36:19 +0000 (GMT) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)iANLWSEj049728 for ; Tue, 23 Nov 2004 22:32:28 +0100 (CET) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) iANLWRdn049715; Tue, 23 Nov 2004 22:32:27 +0100 (CET) (envelope-from tw@wsf.at) Date: Tue, 23 Nov 2004 21:32:27 -0000 To: NetAdmin , freebsd-ipfw@freebsd.org From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20041123223227.gjztbix9gu0wkg@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: IPFW2 tables X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Nov 2004 21:36:21 -0000 NetAdmin schrieb: > I just found out about tables. I've been trying to google for correct > syntax but as yet have not been able to find anything. Can anyone > direct me to a good howto for setting up IPFW tables? Using 5.3 > Release. > > did the following; > > # ipfw table 1 add 0.0.0.0/8 > > shows > # ipfw table 1 list > 0.0.0.0/8 0 > > Set rule as; *Note: found there was a problem using table (1) > {fwcmd} add 300 deny ip from table '1' to me The correct syntax that should work under any shell should be {fwcmd} add 300 deny ip from table\(1\) to me or {fwcmd} add 300 deny ip from "table(1)" to me > The odd part is, I get this with the 'ipfw show' command > # ipfw show > 00300 deny ip from 216.65.30.238 1 to me Hm. is 'table' a hostname in your network? When i tried your syntax, i got: tele# ipfw add 1 count all from table '1' to me ipfw: hostname ``table'' unknown tele# Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 23 22:05:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F193316A4CE for ; Tue, 23 Nov 2004 22:05:29 +0000 (GMT) Received: from FoxSurfer.Com (dns1.foxsurfer.com [69.90.8.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A70143D46 for ; Tue, 23 Nov 2004 22:05:29 +0000 (GMT) (envelope-from daemon@foxchat.net) Received: from foxdaemon.com (zapper@rrcs-24-172-9-74.midsouth.biz.rr.com [24.172.9.74]) by FoxSurfer.Com (8.12.11/8.12.11) with ESMTP id iANM5OZ8035264 for ; Tue, 23 Nov 2004 17:05:25 -0500 (EST) (envelope-from daemon@foxchat.net) From: NetAdmin To: freebsd-ipfw@freebsd.org In-Reply-To: <20041123223227.gjztbix9gu0wkg@.mailhost.wsf.at> References: <20041123223227.gjztbix9gu0wkg@.mailhost.wsf.at> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-Cs+mZmt7z7d3Pkv+dPwv" Date: Tue, 23 Nov 2004 17:05:29 -0500 Message-Id: <1101247529.22644.52.camel@foxdaemon.com> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 FreeBSD GNOME Team Port Subject: Re: IPFW2 tables X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Nov 2004 22:05:30 -0000 --=-Cs+mZmt7z7d3Pkv+dPwv Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2004-11-23 at 21:32 +0000, Thomas Wolf wrote: > NetAdmin schrieb: >=20 > > I just found out about tables. I've been trying to google for correct > > syntax but as yet have not been able to find anything. Can anyone > > direct me to a good howto for setting up IPFW tables? Using 5.3 > > Release. > >=20 > > did the following; > >=20 > > # ipfw table 1 add 0.0.0.0/8 > >=20 > > shows > > # ipfw table 1 list > > 0.0.0.0/8 0 > >=20 > > Set rule as; *Note: found there was a problem using table (1) > > {fwcmd} add 300 deny ip from table '1' to me >=20 > The correct syntax that should work under any shell should be > {fwcmd} add 300 deny ip from table\(1\) to me > or > {fwcmd} add 300 deny ip from "table(1)" to me >=20 >=20 > > The odd part is, I get this with the 'ipfw show' command > > # ipfw show > > 00300 deny ip from 216.65.30.238 1 to me >=20 > Hm. is 'table' a hostname in your network? When i tried > your syntax, i got: > tele# ipfw add 1 count all from table '1' to me > ipfw: hostname ``table'' unknown > tele# >=20 > Thomas Great! That worked. Thanks. Now, is there a page I can refer to for other commands and syntax like adding multiple ports? I tried the following and assume it works. ${fwcmd} add 301 deny all from "table(2)" to me 20-25,110,113,143 # ipfw show 00301 0 0 deny ip from table(2) to me dst-port 20-25,110,113,143 Mark --=-Cs+mZmt7z7d3Pkv+dPwv Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBo7QpNirmlL8R/7sRAjzhAJ9fqjBFiFdzMQz3nDbfExgCMTINogCeKi7g fz2mjyHRAX2QOZVy+OzvHHY= =rdmc -----END PGP SIGNATURE----- --=-Cs+mZmt7z7d3Pkv+dPwv-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 23 22:32:58 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FCDD16A4F3 for ; Tue, 23 Nov 2004 22:32:58 +0000 (GMT) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE4C043D49 for ; Tue, 23 Nov 2004 22:32:57 +0000 (GMT) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)iANMT7MX051206 for ; Tue, 23 Nov 2004 23:29:07 +0100 (CET) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) iANMT7dn051193; Tue, 23 Nov 2004 23:29:07 +0100 (CET) (envelope-from tw@wsf.at) Date: Tue, 23 Nov 2004 22:29:07 -0000 To: NetAdmin , freebsd-ipfw@freebsd.org From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20041123232907.gkw44hr838gk48@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: IPFW2 tables X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Nov 2004 22:32:58 -0000 NetAdmin schrieb: > > > Set rule as; *Note: found there was a problem using table (1) > > > {fwcmd} add 300 deny ip from table '1' to me > > > > The correct syntax that should work under any shell should be > > {fwcmd} add 300 deny ip from table\(1\) to me > > or > > {fwcmd} add 300 deny ip from "table(1)" to me > > > > > > Great! That worked. Thanks. Now, is there a page I can refer to for > other commands and syntax like adding multiple ports? 'man 8 ipfw' is still the best reference for commands and syntax (IMHO). > I tried the > following and assume it works. > > ${fwcmd} add 301 deny all from "table(2)" to me 20-25,110,113,143 > > # ipfw show > 00301 0 0 deny ip from table(2) to me dst-port > 20-25,110,113,143 That looks ok. Although I would 'unreach host' or 'reset' packets to ident (port 113). 'Dropping' them just gets you delays when querying mailservers and other services. Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 24 00:27:16 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF3D616A4CE for ; Wed, 24 Nov 2004 00:27:16 +0000 (GMT) Received: from FoxSurfer.Com (dns1.foxsurfer.com [69.90.8.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E52E43D1F for ; Wed, 24 Nov 2004 00:27:16 +0000 (GMT) (envelope-from daemon@foxchat.net) Received: from foxdaemon.com (zapper@rrcs-24-172-9-74.midsouth.biz.rr.com [24.172.9.74]) by FoxSurfer.Com (8.12.11/8.12.11) with ESMTP id iAO0RB1w036930; Tue, 23 Nov 2004 19:27:11 -0500 (EST) (envelope-from daemon@foxchat.net) From: NetAdmin To: tw@wsf.at In-Reply-To: <20041123232907.gkw44hr838gk48@.mailhost.wsf.at> References: <20041123232907.gkw44hr838gk48@.mailhost.wsf.at> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-6L4Yxjyhg2ZjrZN4txC0" Date: Tue, 23 Nov 2004 19:27:16 -0500 Message-Id: <1101256036.22644.69.camel@foxdaemon.com> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 FreeBSD GNOME Team Port cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW2 tables X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 00:27:16 -0000 --=-6L4Yxjyhg2ZjrZN4txC0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2004-11-23 at 22:29 +0000, Thomas Wolf wrote: > NetAdmin schrieb: >=20 >=20 > > > > Set rule as; *Note: found there was a problem using table (1) > > > > {fwcmd} add 300 deny ip from table '1' to me > > >=20 > > > The correct syntax that should work under any shell should be > > > {fwcmd} add 300 deny ip from table\(1\) to me > > > or > > > {fwcmd} add 300 deny ip from "table(1)" to me > > >=20 > > >=20 > >=20 > > Great! That worked. Thanks. Now, is there a page I can refer to for > > other commands and syntax like adding multiple ports? =20 >=20 > 'man 8 ipfw' is still the best reference for commands and syntax (IMHO). >=20 >=20 > > I tried the > > following and assume it works. > >=20 > > ${fwcmd} add 301 deny all from "table(2)" to me 20-25,110,113,143 > >=20 > > # ipfw show > > 00301 0 0 deny ip from table(2) to me dst-port > > 20-25,110,113,143 >=20 > That looks ok. Although I would 'unreach host' or 'reset' packets=20 > to ident (port 113). 'Dropping' them just gets you delays when > querying mailservers and other services. >=20 > Thomas I did look at the man page for tables. The only thing really mentioned is; ipfw table number add addr[/masklen] [value] ipfw table number delete addr[/masklen] ipfw table number flush ipfw table number list and=20 LOOKUP TABLES Lookup tables are useful to handle large sparse address sets, typically from a hundred to several thousands of entries. There could be 128 dif- ferent lookup tables, numbered 0 to 127. etc... etc... Make no mistake, I appreciate your help immensely and unless someone else had responded, I would still be wondering what I needed to do. However, I have checked the sources commonly available to newer users including searches on google. Having said that, no where in 'man 8 ipfw' does it say how to add multiple ports in conjunction with Tables or the correct syntax for adding the table to rc.firewall. Tables for IPFW isn't even mentioned in http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html That is why I asked if anyone knew of any other sources of information on Tables and their syntax. It is what I am still asking. Where can I find more information on using tables with IPFW? Respectfully, Mark --=-6L4Yxjyhg2ZjrZN4txC0 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBo9VkNirmlL8R/7sRAtw4AJ937LxHNzfnZfsfmodQ/MKxmcCzIwCgjV+0 rxmIVhNn0cZ2m01u5WO0kNI= =uspW -----END PGP SIGNATURE----- --=-6L4Yxjyhg2ZjrZN4txC0-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 24 08:14:43 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE7F116A4CE for ; Wed, 24 Nov 2004 08:14:43 +0000 (GMT) Received: from smtpauth08.mail.atl.earthlink.net (smtpauth08.mail.atl.earthlink.net [209.86.89.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 41D3243D48 for ; Wed, 24 Nov 2004 08:14:43 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [83.170.20.46] (helo=[192.168.3.50]) by smtpauth08.mail.atl.earthlink.net with asmtp (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CWsIR-0003Jl-N0; Wed, 24 Nov 2004 03:14:42 -0500 From: Martes Wigglesworth To: NetAdmin In-Reply-To: <1101256036.22644.69.camel@foxdaemon.com> References: <20041123232907.gkw44hr838gk48@.mailhost.wsf.at> <1101256036.22644.69.camel@foxdaemon.com> Content-Type: multipart/mixed; boundary="=-zbYli8D4uvNlmLtvvXdI" Organization: Wiggtekmicro Corporation Message-Id: <1101284098.40685.85.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Wed, 24 Nov 2004 11:14:58 +0300 X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd48552c17b821f5638af2ed6fb11287550989663e5c6b578e64350badd9bab72f9c X-Originating-IP: 83.170.20.46 cc: ipfw-mailings Subject: Re: IPFW2 tables X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 08:14:43 -0000 --=-zbYli8D4uvNlmLtvvXdI Content-Type: text/plain Content-Transfer-Encoding: 7bit Dude. I think that the multiple ports section is universal, because each section of an ipfw command is programmed into the ipfw syntax. Like a case, in a shell script. So, it would be theoretically redundant to list, for example, how to use multiple ports on tables, when it is already listed for general usage. I am new, as well, however, it is part of my job to deal with this stuff, so I sit here an play with things. I have not gotten to tables, because I have not seen the benefit, as of yet, however, by playing around, I have noticed that many of the features are just arguments that are being sent to a shell command, and can be thought of as such. Like about a month or so, ago, when I was having trouble with brackets because I had forgotten that they were simply used to seperate arguments within the string of arguments. A helpful person indicated that I should use the back-slash in from of the brackets, becaue the shell was reading them independent of the commands that I was trying to pass to ipfw. This may have been overkill, or inaccurate, however, thinking of the different features as complex arguments to a shell command has made things easier when reading through the man page(s). Please, someone correct me if I am completely off of the target with my assumption. It seems to work for me, and I felt that you could benefit from that frame of thought for ipfw. -- Respectfully, M.G.W. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 GCC-3.3.5/3.3.3(until I replace indigenous gcc) IFORT-for linux(Intell Fortran) gfortran python-2.3 Perl-5.6.1/5.8.5 Java-sdk-1.4.2_5 KDE-3.1.4 --=-zbYli8D4uvNlmLtvvXdI Content-Disposition: inline Content-Description: Forwarded message - Re: IPFW2 tables Content-Type: message/rfc822 Status: U Return-Path: Received: from mx2.freebsd.org ([216.136.204.119]) by bunting.mail.pas.earthlink.net (EarthLink SMTP Server) with ESMTP id 1cwL0F4PW3NZFmR0 for ; Tue, 23 Nov 2004 16:27:49 -0800 (PST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id DE017557C5; Wed, 24 Nov 2004 00:27:19 +0000 (GMT) (envelope-from owner-freebsd-ipfw@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 3FD6B16A4CF; Wed, 24 Nov 2004 00:27:19 +0000 (GMT) Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF3D616A4CE for ; Wed, 24 Nov 2004 00:27:16 +0000 (GMT) Received: from FoxSurfer.Com (dns1.foxsurfer.com [69.90.8.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E52E43D1F for ; Wed, 24 Nov 2004 00:27:16 +0000 (GMT) (envelope-from daemon@foxchat.net) Received: from foxdaemon.com (zapper@rrcs-24-172-9-74.midsouth.biz.rr.com [24.172.9.74]) by FoxSurfer.Com (8.12.11/8.12.11) with ESMTP id iAO0RB1w036930; Tue, 23 Nov 2004 19:27:11 -0500 (EST) (envelope-from daemon@foxchat.net) From: NetAdmin To: tw@wsf.at In-Reply-To: <20041123232907.gkw44hr838gk48@.mailhost.wsf.at> References: <20041123232907.gkw44hr838gk48@.mailhost.wsf.at> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-6L4Yxjyhg2ZjrZN4txC0" Date: Tue, 23 Nov 2004 19:27:16 -0500 Message-Id: <1101256036.22644.69.camel@foxdaemon.com> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 FreeBSD GNOME Team Port Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW2 tables X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: owner-freebsd-ipfw@freebsd.org Errors-To: owner-freebsd-ipfw@freebsd.org X-ELNK-AV: 0 --=-6L4Yxjyhg2ZjrZN4txC0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2004-11-23 at 22:29 +0000, Thomas Wolf wrote: > NetAdmin schrieb: >=20 >=20 > > > > Set rule as; *Note: found there was a problem using table (1) > > > > {fwcmd} add 300 deny ip from table '1' to me > > >=20 > > > The correct syntax that should work under any shell should be > > > {fwcmd} add 300 deny ip from table\(1\) to me > > > or > > > {fwcmd} add 300 deny ip from "table(1)" to me > > >=20 > > >=20 > >=20 > > Great! That worked. Thanks. Now, is there a page I can refer to for > > other commands and syntax like adding multiple ports? =20 >=20 > 'man 8 ipfw' is still the best reference for commands and syntax (IMHO). >=20 >=20 > > I tried the > > following and assume it works. > >=20 > > ${fwcmd} add 301 deny all from "table(2)" to me 20-25,110,113,143 > >=20 > > # ipfw show > > 00301 0 0 deny ip from table(2) to me dst-port > > 20-25,110,113,143 >=20 > That looks ok. Although I would 'unreach host' or 'reset' packets=20 > to ident (port 113). 'Dropping' them just gets you delays when > querying mailservers and other services. >=20 > Thomas I did look at the man page for tables. The only thing really mentioned is; ipfw table number add addr[/masklen] [value] ipfw table number delete addr[/masklen] ipfw table number flush ipfw table number list and=20 LOOKUP TABLES Lookup tables are useful to handle large sparse address sets, typically from a hundred to several thousands of entries. There could be 128 dif- ferent lookup tables, numbered 0 to 127. etc... etc... Make no mistake, I appreciate your help immensely and unless someone else had responded, I would still be wondering what I needed to do. However, I have checked the sources commonly available to newer users including searches on google. Having said that, no where in 'man 8 ipfw' does it say how to add multiple ports in conjunction with Tables or the correct syntax for adding the table to rc.firewall. Tables for IPFW isn't even mentioned in http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html That is why I asked if anyone knew of any other sources of information on Tables and their syntax. It is what I am still asking. Where can I find more information on using tables with IPFW? Respectfully, Mark --=-6L4Yxjyhg2ZjrZN4txC0 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBo9VkNirmlL8R/7sRAtw4AJ937LxHNzfnZfsfmodQ/MKxmcCzIwCgjV+0 rxmIVhNn0cZ2m01u5WO0kNI= =uspW -----END PGP SIGNATURE----- --=-6L4Yxjyhg2ZjrZN4txC0-- --=-zbYli8D4uvNlmLtvvXdI-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 24 19:20:55 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 908D816A4CE for ; Wed, 24 Nov 2004 19:20:55 +0000 (GMT) Received: from server1.carmatec.com (server1.carmatec.com [66.45.229.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6060143D2D for ; Wed, 24 Nov 2004 19:20:55 +0000 (GMT) (envelope-from akhthar@carmatec.com) Received: from [202.88.173.225] (helo=server.trouble-free.net) by server1.carmatec.com with esmtpa (Exim 4.43) id 1CX2hA-0007JB-0p for freebsd-ipfw@freebsd.org; Wed, 24 Nov 2004 14:20:31 -0500 From: "Akhthar Parvez. K" Organization: Carmatec Solutions To: freebsd-ipfw@freebsd.org Date: Thu, 25 Nov 2004 00:50:55 +0530 User-Agent: KMail/1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200411250050.55960.akhthar@carmatec.com> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server1.carmatec.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - carmatec.com X-Source: X-Source-Args: X-Source-Dir: Subject: block an IP for a particular port X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: akhthar@carmatec.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 19:20:55 -0000 Hi All, I just wanna block an IP range for a particular port. I used the following command. ipfw add 00150 drop tcp from 200.0.0.0/24 to any 80 I am able to see the following line in ipfw list 00150 deny tcp from 200.0.0.0/24 to any 80 But I don't think it's working. I am still getting the requests from that IP range. Do I need to do anything else to make it works? Thanks in advance. -- With Regards, Akhthar Parvez.K --------------------- NOTHING IS IMPOSSIBLE Because Impossible itself says I'M POSSIBLE From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 24 19:26:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C05016A4CE for ; Wed, 24 Nov 2004 19:26:20 +0000 (GMT) Received: from obaasan.animanga.nu (110.net90.skekraft.net [213.199.90.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7305E43D5A for ; Wed, 24 Nov 2004 19:26:19 +0000 (GMT) (envelope-from neko@grafit.it) Received: from localhost (localhost [127.0.0.1]) by obaasan.animanga.nu (Postfix) with ESMTP id DB41A19E033; Wed, 24 Nov 2004 20:26:17 +0100 (CET) Received: from obaasan.animanga.nu ([127.0.0.1]) by localhost (obaasan.animanga.nu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 91007-02; Wed, 24 Nov 2004 20:26:17 +0100 (CET) Received: from [192.168.1.66] (ibook.potentia.org [192.168.1.66]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by obaasan.animanga.nu (Postfix) with ESMTP id 0BB3419E03E; Wed, 24 Nov 2004 20:26:17 +0100 (CET) In-Reply-To: <200411250050.55960.akhthar@carmatec.com> References: <200411250050.55960.akhthar@carmatec.com> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: =?ISO-8859-1?Q?Frans_Gidl=F6f?= Date: Wed, 24 Nov 2004 20:26:16 +0100 To: akhthar@carmatec.com X-Mailer: Apple Mail (2.619) X-Virus-Scanned: by amavisd-new at potentia.org cc: freebsd-ipfw@freebsd.org Subject: Re: block an IP for a particular port X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 19:26:20 -0000 /24 isn't the correct netmask, /8 is (by the looks of it anyway) On Nov 24, 2004, at 8:20 PM, Akhthar Parvez. K wrote: > Hi All, > > I just wanna block an IP range for a particular port. I used the > following > command. > > ipfw add 00150 drop tcp from 200.0.0.0/24 to any 80 > > I am able to see the following line in ipfw list > > 00150 deny tcp from 200.0.0.0/24 to any 80 > > But I don't think it's working. I am still getting the requests from > that IP > range. Do I need to do anything else to make it works? > > Thanks in advance. > > -- > With Regards, > > Akhthar Parvez.K > > --------------------- > NOTHING IS IMPOSSIBLE > Because Impossible itself says > I'M POSSIBLE > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sat Nov 27 16:05:36 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8116316A4CE for ; Sat, 27 Nov 2004 16:05:36 +0000 (GMT) Received: from amsfep18-int.chello.nl (amsfep18-int.chello.nl [213.46.243.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id B74E143D31 for ; Sat, 27 Nov 2004 16:05:34 +0000 (GMT) (envelope-from joost@jodocus.org) Received: from bps.jodocus.org ([80.57.157.16]) by amsfep18-int.chello.nl (InterMail vM.6.01.03.04 201-2131-111-106-20040729) with ESMTP id <20041127160532.UMRE7692.amsfep18-int.chello.nl@bps.jodocus.org> for ; Sat, 27 Nov 2004 17:05:32 +0100 Received: from jodocus.org (localhost [127.0.0.1]) by bps.jodocus.org (8.13.1/8.13.1) with ESMTP id iARG5W43007318 for ; Sat, 27 Nov 2004 17:05:32 +0100 (CET) (envelope-from joost@jodocus.org) Received: (from joost@localhost) by jodocus.org (8.13.1/8.13.1/Submit) id iARG5WhL007317 for freebsd-ipfw@freebsd.org; Sat, 27 Nov 2004 17:05:32 +0100 (CET) (envelope-from joost) Date: Sat, 27 Nov 2004 17:05:32 +0100 From: Joost Bekkers To: freebsd-ipfw@freebsd.org Message-ID: <20041127160532.GA7117@bps.jodocus.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="zYM0uCDKw75PZbzx" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: REVIEW request: bin/74450: enable libalias/natd to create skipto rules when punching ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Nov 2004 16:05:36 -0000 --zYM0uCDKw75PZbzx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi Can somebody knowledgable please review this patch I've submitted to gnats? All comments are welcome. Almost forgot to mention: the diff is against 5.3R thanks ============================ When using ipfw in a stateful firewall with natd it's desirable to have natd create skipto rules instead of allow rules. See http://lists.freebsd.org/mailman/htdig/freebsd-ipfw/2004-June/001182.html for a description of the type of firewall I'm referring to. -- greetz Joost joost@jodocus.org --zYM0uCDKw75PZbzx Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="alias-natd-skipto.diff" diff -c src/lib/libalias/dist/alias.h src/lib/libalias/alias.h *** src/lib/libalias/dist/alias.h Tue Nov 23 21:52:03 2004 --- src/lib/libalias/alias.h Fri Nov 26 19:46:27 2004 *************** *** 126,131 **** --- 126,132 ---- struct libalias *LibAliasInit(struct libalias *); void LibAliasSetAddress(struct libalias *, struct in_addr _addr); void LibAliasSetFWBase(struct libalias *, unsigned int _base, unsigned int _num); + void LibAliasSetFWSkipToRule(struct libalias *, unsigned int _rulenr); void LibAliasSetSkinnyPort(struct libalias *, unsigned int _port); unsigned int LibAliasSetMode(struct libalias *, unsigned int _flags, unsigned int _mask); diff -c src/lib/libalias/dist/alias_db.c src/lib/libalias/alias_db.c *** src/lib/libalias/dist/alias_db.c Tue Nov 23 21:52:03 2004 --- src/lib/libalias/alias_db.c Fri Nov 26 19:46:27 2004 *************** *** 2531,2537 **** static int fill_rule(void *buf, int bufsize, int rulenum, ! enum ipfw_opcodes action, int proto, struct in_addr sa, u_int16_t sp, struct in_addr da, u_int16_t dp) { struct ip_fw *rule = (struct ip_fw *)buf; --- 2531,2537 ---- static int fill_rule(void *buf, int bufsize, int rulenum, ! enum ipfw_opcodes action, int arg1, int proto, struct in_addr sa, u_int16_t sp, struct in_addr da, u_int16_t dp) { struct ip_fw *rule = (struct ip_fw *)buf; *************** *** 2547,2553 **** cmd = fill_one_port(cmd, O_IP_DSTPORT, dp); rule->act_ofs = (u_int32_t *) cmd - (u_int32_t *) rule->cmd; ! cmd = fill_cmd(cmd, action, F_INSN_SIZE(ipfw_insn), 0, 0); rule->cmd_len = (u_int32_t *) cmd - (u_int32_t *) rule->cmd; --- 2547,2553 ---- cmd = fill_one_port(cmd, O_IP_DSTPORT, dp); rule->act_ofs = (u_int32_t *) cmd - (u_int32_t *) rule->cmd; ! cmd = fill_cmd(cmd, action, F_INSN_SIZE(ipfw_insn), 0, arg1); rule->cmd_len = (u_int32_t *) cmd - (u_int32_t *) rule->cmd; *************** *** 2652,2660 **** if (GetOriginalPort(lnk) != 0 && GetDestPort(lnk) != 0) { u_int32_t rulebuf[255]; int i; i = fill_rule(rulebuf, sizeof(rulebuf), fwhole, ! O_ACCEPT, IPPROTO_TCP, GetOriginalAddress(lnk), ntohs(GetOriginalPort(lnk)), GetDestAddress(lnk), ntohs(GetDestPort(lnk))); r = setsockopt(la->fireWallFD, IPPROTO_IP, IP_FW_ADD, rulebuf, i); --- 2652,2666 ---- if (GetOriginalPort(lnk) != 0 && GetDestPort(lnk) != 0) { u_int32_t rulebuf[255]; int i; + enum ipfw_opcodes action; + + if (la->fireWallSkipTo==0) + action=O_ACCEPT; + else + action=O_SKIPTO; i = fill_rule(rulebuf, sizeof(rulebuf), fwhole, ! action, la->fireWallSkipTo, IPPROTO_TCP, GetOriginalAddress(lnk), ntohs(GetOriginalPort(lnk)), GetDestAddress(lnk), ntohs(GetDestPort(lnk))); r = setsockopt(la->fireWallFD, IPPROTO_IP, IP_FW_ADD, rulebuf, i); *************** *** 2662,2668 **** err(1, "alias punch inbound(1) setsockopt(IP_FW_ADD)"); i = fill_rule(rulebuf, sizeof(rulebuf), fwhole, ! O_ACCEPT, IPPROTO_TCP, GetDestAddress(lnk), ntohs(GetDestPort(lnk)), GetOriginalAddress(lnk), ntohs(GetOriginalPort(lnk))); r = setsockopt(la->fireWallFD, IPPROTO_IP, IP_FW_ADD, rulebuf, i); --- 2668,2674 ---- err(1, "alias punch inbound(1) setsockopt(IP_FW_ADD)"); i = fill_rule(rulebuf, sizeof(rulebuf), fwhole, ! action, la->fireWallSkipTo, IPPROTO_TCP, GetDestAddress(lnk), ntohs(GetDestPort(lnk)), GetOriginalAddress(lnk), ntohs(GetOriginalPort(lnk))); r = setsockopt(la->fireWallFD, IPPROTO_IP, IP_FW_ADD, rulebuf, i); *************** *** 2675,2681 **** rule.fw_number = fwhole; IP_FW_SETNSRCP(&rule, 1); /* Number of source ports. */ IP_FW_SETNDSTP(&rule, 1); /* Number of destination ports. */ ! rule.fw_flg = IP_FW_F_ACCEPT | IP_FW_F_IN | IP_FW_F_OUT; rule.fw_prot = IPPROTO_TCP; rule.fw_smsk.s_addr = INADDR_BROADCAST; rule.fw_dmsk.s_addr = INADDR_BROADCAST; --- 2681,2689 ---- rule.fw_number = fwhole; IP_FW_SETNSRCP(&rule, 1); /* Number of source ports. */ IP_FW_SETNDSTP(&rule, 1); /* Number of destination ports. */ ! rule.fw_flg = (la->fireWallSkipTo==0)?IP_FW_F_ACCEPT:IP_FW_F_SKIPTO; ! rule.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT; ! rule.fw_skipto_rule = la->fireWallSkipTo; rule.fw_prot = IPPROTO_TCP; rule.fw_smsk.s_addr = INADDR_BROADCAST; rule.fw_dmsk.s_addr = INADDR_BROADCAST; *************** *** 2778,2783 **** --- 2786,2799 ---- #ifndef NO_FW_PUNCH la->fireWallBaseNum = base; la->fireWallNumNums = num; + #endif + } + + void + LibAliasSetFWSkipToRule(struct libalias *la, unsigned int rulenr) + { + #ifndef NO_FW_PUNCH + la->fireWallSkipTo = rulenr; #endif } diff -c src/lib/libalias/dist/alias_local.h src/lib/libalias/alias_local.h *** src/lib/libalias/dist/alias_local.h Tue Nov 23 21:52:03 2004 --- src/lib/libalias/alias_local.h Fri Nov 26 19:46:27 2004 *************** *** 121,126 **** --- 121,128 ---- * free for our use */ int fireWallNumNums; /* How many entries can we * use? */ + int fireWallSkipTo; /* 0 == accept + * else rule number to skip to */ int fireWallActiveNum; /* Which entry did we last * use? */ char *fireWallField; /* bool array for entries */ diff -c src/lib/libalias/dist/libalias.3 src/lib/libalias/libalias.3 *** src/lib/libalias/dist/libalias.3 Tue Nov 23 21:52:03 2004 --- src/lib/libalias/libalias.3 Fri Nov 26 19:46:27 2004 *************** *** 270,275 **** --- 270,286 ---- .Ed .Pp .Ft void + .Fn LibAliasSetFWSkipToRule "struct libalias *" "unsigned int rulenr" + .Bd -ragged -offset indent + Cause + .Nm + to create skipto rules instead of the default allow rules + when making holes in the firewall. Setting + .Fa rulenr + to 0 will restore the default behavior of creating allow rules. + .Ed + .Pp + .Ft void .Fn LibAliasSkinnyPort "struct libalias *" "unsigned int port" .Bd -ragged -offset indent Set the TCP port used by the Skinny Station protocol. diff -c src/sbin/natd/dist/natd.8 src/sbin/natd/natd.8 *** src/sbin/natd/dist/natd.8 Fri Nov 26 19:10:27 2004 --- src/sbin/natd/natd.8 Sat Nov 27 16:34:16 2004 *************** *** 31,36 **** --- 31,37 ---- .Op Fl log_denied .Op Fl log_facility Ar facility_name .Op Fl punch_fw Ar firewall_range + .Op Fl punch_skipto Ar rule_number .Op Fl skinny_port Ar port .Op Fl log_ipfw_denied .Op Fl pid_file | P Ar pidfile *************** *** 484,489 **** --- 485,493 ---- .Ar basenumber will be used for punching firewall holes. The range will be cleared for all rules on startup. + .It Fl punch_skipto Ar rule_number + Instead of the default allow rules, create skipto rules which skip to + .Ar rule_number . .It Fl skinny_port Ar port This option allows you to specify the TCP port used for the Skinny Station protocol. diff -c src/sbin/natd/dist/natd.c src/sbin/natd/natd.c *** src/sbin/natd/dist/natd.c Fri Nov 26 19:09:06 2004 --- src/sbin/natd/natd.c Fri Nov 26 19:35:50 2004 *************** *** 127,132 **** --- 127,133 ---- static int StrToAddrAndPortRange (const char* str, struct in_addr* addr, char* proto, port_range *portRange); static void ParseArgs (int argc, char** argv); static void SetupPunchFW(const char *strValue); + static void SetupPunchSkipTo(const char *strValue); static void SetupSkinnyPort(const char *strValue); static void NewInstance(const char *name); static void DoGlobal (int fd); *************** *** 1017,1022 **** --- 1018,1024 ---- LogDenied, LogFacility, PunchFW, + PunchSkipTo, SkinnyPort, LogIpfwDenied, PidFile *************** *** 1247,1252 **** --- 1249,1262 ---- "punch_fw", NULL }, + { PunchSkipTo, + 0, + String, + "rulenumber", + "use skipto instead of permit action when punching the firewall", + "punch_skipto", + NULL }, + { SkinnyPort, 0, String, *************** *** 1465,1470 **** --- 1475,1484 ---- SetupPunchFW(strValue); break; + case PunchSkipTo: + SetupPunchSkipTo(strValue); + break; + case SkinnyPort: SetupSkinnyPort(strValue); break; *************** *** 1918,1923 **** --- 1932,1948 ---- LibAliasSetFWBase(mla, base, num); (void)LibAliasSetMode(mla, PKT_ALIAS_PUNCH_FW, PKT_ALIAS_PUNCH_FW); + } + + static void + SetupPunchSkipTo(const char *strValue) + { + unsigned int rule; + + if (sscanf(strValue, "%u", &rule) != 1) + errx(1, "punch_skipto: rule number required"); + + LibAliasSetFWSkipToRule(mla, rule); } static void --zYM0uCDKw75PZbzx-- From owner-freebsd-ipfw@FreeBSD.ORG Sat Nov 27 20:18:32 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D6F916A4CE for ; Sat, 27 Nov 2004 20:18:32 +0000 (GMT) Received: from mail1.webmaster.com (mail1.webmaster.com [216.152.64.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A87B43D69 for ; Sat, 27 Nov 2004 20:18:32 +0000 (GMT) (envelope-from davids@webmaster.com) Received: from however by webmaster.com (MDaemon.PRO.v7.1.0.R) with ESMTP id md50000299745.msg for ; Sat, 27 Nov 2004 11:53:45 -0800 From: "David Schwartz" To: Date: Sat, 27 Nov 2004 12:17:21 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Authenticated-Sender: joelkatz@webmaster.com X-Spam-Processed: mail1.webmaster.com, Sat, 27 Nov 2004 11:53:45 -0800 (not processed: message from trusted or authenticated source) X-MDRemoteIP: 206.171.168.138 X-Return-Path: davids@webmaster.com X-MDaemon-Deliver-To: freebsd-ipfw@freebsd.org X-MDAV-Processed: mail1.webmaster.com, Sat, 27 Nov 2004 11:53:49 -0800 Subject: PATCH: Add creation time to dynamic firewall rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: davids@webmaster.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Nov 2004 20:18:32 -0000 FreeBSD/ipfw2 currently keeps the expiration time for dynamic firewall rules (obviously), but it does not track the creation time. The attached patch keeps the creation time and adds a flag to 'ipfw' to show the time since creation instead of the time until expiration. This is useful for two reasons. First, knowing how long a connection has been around gives you an idea of how stable it is. Second, the packet/byte counters are not as meaningful without knowing what time period they cover -- with both the counters and the time frame, you can estimate the bandwidth consumption of the connection. The cost is four bytes of memory per dynamic firewall rule. This is both consumed kernel memory for the dynamic rule table and cost of copying out the rules when they're requested. In addition, retrieving the dynamic firewall rules requries an extra computation to relativize the time (as is done for expiration time now). Even for a large firewall with, say, 10,000 states, this is still a minimal amount of memory (40Kb). This patch is tested and is offered under the FreeBSD license. I would like to see it included in the distribution. The patch is against 5_STABLE, and the versions of the various files patched are in the patch headers. The patch has been tested. Note that both copies of ip_fw.h must be patched. David Schwartz -- --- ip_fw.h 1.89.2.2 2004/10/03 17:04:40 +++ ip_fw.h Fri Nov 26 18:51:15 2004 @@ -353,6 +353,7 @@ struct _ipfw_dyn_rule { u_int64_t bcnt; /* byte match counter */ struct ipfw_flow_id id; /* (masked) flow id */ u_int32_t expire; /* expire time */ + u_int32_t created; /* creation time */ u_int32_t bucket; /* which bucket in hash table */ u_int32_t state; /* state of this rule (typically a * combination of TCP flags) --- ip_fw2.c 1.54.2.3 2004/09/17 14:49:08 +++ ip_fw2.c Fri Nov 26 18:56:41 2004 @@ -1037,6 +1037,7 @@ add_dyn_rule(struct ipfw_flow_id *id, u_ r->id = *id; r->expire = time_second + dyn_syn_lifetime; + r->created = time_second; r->rule = rule; r->dyn_type = dyn_type; r->pcnt = r->bcnt = 0; @@ -3089,6 +3090,9 @@ ipfw_getrules(struct ip_fw_chain *chain, dst->expire = TIME_LEQ(dst->expire, time_second) ? 0 : dst->expire - time_second ; + dst->created = + TIME_LEQ(time_second, dst->created) ? + 0 : time_second - dst->created; bp += sizeof(ipfw_dyn_rule); } } --- ipfw.8 1.150.2.4 2004/11/08 19:07:03 +++ ipfw.8 Fri Nov 26 18:59:20 2004 @@ -13,7 +13,7 @@ .Cm add .Ar rule .Nm -.Op Fl acdefnNStT +.Op Fl acCdefnNStT .Brq Cm list | show .Op Ar rule | first-last ... .Nm @@ -223,6 +223,10 @@ Implies When entering or showing rules, print them in compact form, i.e., without the optional "ip from any to any" string when this does not carry any additional information. +.It Fl C +When viewing dynamic firewall rules, print the number of +seconds since the rule was created rather than the number +of seconds until the rule expires. .It Fl d While listing, show dynamic rules in addition to static ones. .It Fl e --- ipfw2.c 1.54.2.3 2004/09/17 14:49:08 +++ ipfw2.c Fri Nov 26 18:57:04 2004 @@ -67,6 +67,7 @@ int show_sets, /* display rule sets */ test_only, /* only check syntax */ comment_only, /* only print action and comment */ + show_created, /* show creation time */ verbose; #define IP_MASK_ALL 0xffffffff @@ -1367,7 +1368,8 @@ show_dyn_ipfw(ipfw_dyn_rule *d, int pcwi if (pcwidth>0 || bcwidth>0) printf(" %*llu %*llu (%ds)", pcwidth, align_uint64(&d->pcnt), bcwidth, - align_uint64(&d->bcnt), d->expire); + align_uint64(&d->bcnt), + show_created ? d->created : d->expire); switch (d->dyn_type) { case O_LIMIT_PARENT: printf(" PARENT %d", d->count); @@ -3843,7 +3845,7 @@ ipfw_main(int oldac, char **oldav) save_av = av; optind = optreset = 0; - while ((ch = getopt(ac, av, "abcdefhnNqs:STtv")) != -1) + while ((ch = getopt(ac, av, "abcCdefhnNqs:STtv")) != -1) switch (ch) { case 'a': do_acct = 1; @@ -3906,7 +3908,9 @@ ipfw_main(int oldac, char **oldav) case 'v': /* verbose */ verbose = 1; break; - + case 'C': /* created time */ + show_created = 1; + break; default: free_args(save_ac, save_av); return 1;