From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 14 11:01:56 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D3BE16A4CE for ; Mon, 14 Mar 2005 11:01:56 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 668C743D39 for ; Mon, 14 Mar 2005 11:01:56 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j2EB1ujO090846 for ; Mon, 14 Mar 2005 11:01:56 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j2EB1tBi090840 for ipfw@freebsd.org; Mon, 14 Mar 2005 11:01:55 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 14 Mar 2005 11:01:55 GMT Message-Id: <200503141101.j2EB1tBi090840@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Mar 2005 11:01:56 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 14 21:01:26 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DF1516A4CE for ; Mon, 14 Mar 2005 21:01:26 +0000 (GMT) Received: from callahan.capri.pl (callahan.capri.pl [217.149.242.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21AEB43D53 for ; Mon, 14 Mar 2005 21:01:25 +0000 (GMT) (envelope-from mk@capri.pl) Received: from [192.168.1.2] (dsy186.neoplus.adsl.tpnet.pl [83.24.236.186]) (authenticated bits=0) by callahan.capri.pl (8.13.3/8.13.3) with ESMTP id j2EL1KRL040724 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 14 Mar 2005 22:01:21 +0100 (CET) (envelope-from mk@cml.mfk.net.pl) Message-ID: <4235FBA0.6050309@cml.mfk.net.pl> Date: Mon, 14 Mar 2005 22:01:20 +0100 From: Michal Konieczny User-Agent: Mozilla Thunderbird 0.9 (X11/20041127) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Subject: limit src-addr passes more connections than prescribed X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Mar 2005 21:01:26 -0000 Hello, Last time I had to limit number of connections to my www server for some static content, due to abusive use of download managers by some of the users. So I've setup something like this: ipfw add check-state .... ipfw add allow tcp from any to a.b.c.d www in via fxp0 setup limit src-addr 5 Quite obvious, due to ipfw man page. It works - some way, I can see no more 100+ connections from single ip address, but it's often more than 5 connections in ESTABLISHED state, from single ip address - from random checks I've seen up to 20+ such connections. Order of magnitude better than previously without the limit, but something seems wrong here to me. System in question is FreeBSD 5.3 cvsup'ed to lastest 5.3-STABLE (this is production stage machine). Am I missing something, not configured it properly, maybe this has it's reasons ? Best regards, -- Michal Konieczny mk@cml.mfk.net.pl From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 15 01:48:36 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFC1B16A4CE for ; Tue, 15 Mar 2005 01:48:36 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D8E743D3F for ; Tue, 15 Mar 2005 01:48:35 +0000 (GMT) (envelope-from mikhail.manuilov@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so3640wri for ; Mon, 14 Mar 2005 17:48:31 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=oE/eKZ0KsnlwNdvPnMen/Tu8Z+WqAwFvBq2ry9QsqRdtOtSS6p8rs4E3jArll23dioa5qV8kTsuWYoU/2EkCgvdkhyPuZy4DW6eAkj2jNTM4cVL1MzjIrNHd4PQnnO85Zp35W+Xn3s9bbCnnghZsDOh5V5/l7TNIEe3Ax31/axI= Received: by 10.38.75.66 with SMTP id x66mr5530024rna; Mon, 14 Mar 2005 10:34:41 -0800 (PST) Received: by 10.38.88.66 with HTTP; Mon, 14 Mar 2005 10:34:41 -0800 (PST) Message-ID: <7ec6def9050314103429478a51@mail.gmail.com> Date: Mon, 14 Mar 2005 21:34:41 +0300 From: Mikhail Manuylov To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: ipfw table add problem (need to supply mask even for single ip) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Mikhail Manuylov List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Mar 2005 01:48:37 -0000 Hello. I got a problem with adding several address names to one table without specifying subnet cidr mask for each. #for example: ipfw -n table 1 add 192.168.1.1, 172.16.1.2, 10.1.1.3, 10.1.1.4 ipfw: hostname ``192.168.1.1,172.16.1.2,10.1.1.3,10.1.1.4'' unknown echo $? 68 #but ipfw -n table 1 add 192.168.0.0/24, 172.16.0.0/16, 10.0.0.0/8 echo $? 0 #and ipfw -n table 1 add 192.168.1.1/32, 172.16.1.2/32, 10.1.1.3/32, 10.1.1.4/32 echo $? 0 Is it necessary to specify cidr mask? ipfw(8) says "no": "If masklen is not specified, it defaults to 32" $uname -vm FreeBSD 4.11-STABLE #0: Wed Feb 23 18:14:56 MSK 2005 root@exapmple.com:/usr/obj/usr/src/sys/CUSTOM i386 I've compiled my kernel and world with defined IPFW2 option and variables respectively. Thanks beforehand for response. -- Truly yours, Mikhail Manuilov