From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 18 11:02:40 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0FD116A4CE for ; Mon, 18 Apr 2005 11:02:40 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D95C743D3F for ; Mon, 18 Apr 2005 11:02:40 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j3IB2eY4093792 for ; Mon, 18 Apr 2005 11:02:40 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j3IB2eBo093787 for ipfw@freebsd.org; Mon, 18 Apr 2005 11:02:40 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 18 Apr 2005 11:02:40 GMT Message-Id: <200504181102.j3IB2eBo093787@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Apr 2005 11:02:41 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 22 11:59:19 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 87D5216A4CE for ; Fri, 22 Apr 2005 11:59:19 +0000 (GMT) Received: from kalypso.opteqint.net (kalypso.opteqint.net [160.124.112.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA2C843D31 for ; Fri, 22 Apr 2005 11:59:18 +0000 (GMT) (envelope-from cole@opteqint.net) Received: from rrba-146-95-250.telkomadsl.co.za ([165.146.95.250] helo=deadmind) by kalypso.opteqint.net with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.43 (FreeBSD)) id 1DOwoO-0000Q2-WD for freebsd-ipfw@freebsd.org; Fri, 22 Apr 2005 13:59:16 +0200 Message-ID: <000301c54733$9651e1e0$4206000a@deadmind> From: "Cole" To: Date: Fri, 22 Apr 2005 14:05:31 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4922.1500 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4939.300 X-Spam-Score: -99.6 (---------------------------------------------------) X-Spam-Report: Spam detection software, running on the system "kalypso.opteqint.net", hasmessagelabel similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi Ive been reading your mail you posted to freebsd-ipfw. I was wondering if you have released an implementation of your PEP/SCPS code for freebsd with which I could test? Or if you have a page pertaining to this work you are doing? [...] Content analysis details: (-99.6 points, 4.2 required) pts rule name description -------------------------------------------------- -100 USER_IN_WHITELIST From: address is in the user's white-list 0.4 SUBJ_ALL_CAPS Subject is all capitals Subject: PEP + SCPS X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Cole List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Apr 2005 11:59:19 -0000 Hi Ive been reading your mail you posted to freebsd-ipfw. I was wondering if you have released an implementation of your PEP/SCPS code for freebsd with which I could test? Or if you have a page pertaining to this work you are doing? Also is this a opensource or inhouse project or project for sale or which? Regards /Cole From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 22 14:30:32 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7175B16A4CE for ; Fri, 22 Apr 2005 14:30:32 +0000 (GMT) Received: from smtp-bedford-dr.mitre.org (smtpproxy2.mitre.org [192.160.51.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id B2B9C43D64 for ; Fri, 22 Apr 2005 14:30:31 +0000 (GMT) (envelope-from feighery@mitre.org) Received: from smtp-bedford-dr.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford-dr.mitre.org (8.11.6/8.11.6) with SMTP id j3MEUVo28764 for ; Fri, 22 Apr 2005 10:30:31 -0400 Received: from smtp-bedford-dr.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford-dr.mitre.org (Postfix) with ESMTP id E04CD4F8E4 for ; Fri, 22 Apr 2005 10:30:30 -0400 (EDT) Received: from MAILHUB2 (mailhub2.mitre.org [129.83.221.18]) j3MEUU828696; Fri, 22 Apr 2005 10:30:30 -0400 Message-Id: <200504221430.j3MEUU828696@smtp-bedford-dr.mitre.org> Received: from mm130830-pc.mitre.org (128.29.14.11) by mailhub2.mitre.org with SMTP id 11016386; Fri, 22 Apr 2005 10:30:18 -0400 From: "Patrick Feighery" To: "'Cole'" , Date: Fri, 22 Apr 2005 10:30:11 -0400 Organization: The MITRE Corporation MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-index: AcVHMr3okOgFuPZDS6yMYxejEifm8gAEltDw In-Reply-To: <000301c54733$9651e1e0$4206000a@deadmind> Subject: RE: PEP + SCPS X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Apr 2005 14:30:32 -0000 Yes, the source code is freely available (ported to FreeBSD and Linux) for anyone to obtain and use however you would like - no strings attached. As for on-line documentation. The main SCPS (Space Communication Protocol Standards) web site is located at www.scps.org which describes the underlying protocols. If you google on 'scps tp' you will see a bunch of stuff about SCPS in particular the SCPS transport layer (SCPS TP) and its use as a transparent transport layer proxy. Unfortunately I don't have a site that explains my work on it. But in general, it is used where the characteristics of the underlying network cause performance issues for applications using TCP as their transport mechanism. I have been involved in many different uses of it... Satellite Networking, RF environments, submarine comm, striping data from a single TCP connection among many low bandwidth links, etc... There are a handful of companies that sell commercial products based on the SCPS TP, and are deployed in wide variety of commercial and military environments. We don't have a site that it can be downloaded from. To obtain a copy of the code you simply need to send a quick request to Adrian Hooke adrian.j.hooke@jpl.nasa.gov and you will receive a copy of the code shortly. Hope this help and thanks for the interest. Please don't hesitate to contact me. Pat >>-----Original Message----- >>From: owner-freebsd-ipfw@freebsd.org >>[mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Cole >>Sent: Friday, April 22, 2005 8:06 AM >>To: freebsd-ipfw@freebsd.org >>Subject: PEP + SCPS >> >>Hi >> >>Ive been reading your mail you posted to freebsd-ipfw. I was >>wondering if you have released an implementation of your PEP/SCPS code >>for freebsd with which I could test? Or if you have a page >>pertaining to this work you are doing? >> >>Also is this a opensource or inhouse project or project for >>sale or which? >> >>Regards >>/Cole >> >> >>_______________________________________________ >>freebsd-ipfw@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>To unsubscribe, send any mail to >>"freebsd-ipfw-unsubscribe@freebsd.org" >> From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 22 15:21:26 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1FA1C16A4CE for ; Fri, 22 Apr 2005 15:21:26 +0000 (GMT) Received: from conversation.bsdunix.ch (netzklang.ch [82.220.17.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 157C443D2D for ; Fri, 22 Apr 2005 15:21:25 +0000 (GMT) (envelope-from freebsdlists@bsdunix.ch) Received: from localhost.localdomain (bert.mlan.solnet.ch [212.101.1.83]) (authenticated bits=0)j3MFQjkC036807 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Fri, 22 Apr 2005 17:26:45 +0200 (CEST) (envelope-from freebsdlists@bsdunix.ch) From: Thomas Vogt To: ipfw@freebsd.org Content-Type: text/plain Date: Fri, 22 Apr 2005 17:20:16 +0200 Message-Id: <1114183217.35367.2.camel@bert.mlan.solnet.ch> Mime-Version: 1.0 X-Mailer: Evolution 2.2.2 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.5 required=5.0 tests=AWL,BAYES_00, SARE_FROM_SPAM_WORD3,TW_FX,TW_PF autolearn=no version=3.0.2 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on conversation.bsdunix.ch Subject: blocking dhcp requests X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Apr 2005 15:21:26 -0000 Hey there, I have a problem concerning ipfw and dhcp. I am trying to block dhcp request which are sent to my host. but the dhcp server replys even though my firewall rule matches. the firewall rule in my script $cmd 02 deny log ip from any to any bootps keep-state in which will be translated into: deny log logamount 100 ip from any to any dst-port 67 keep-state the log entry in /etc/security Apr 22 14:41:54 lizard kernel: ipfw: 2 Deny UDP 0.0.0.0:68 255.255.255.255:67 in via fxp1 lizard# tcpdump -n -i fxp1 broadcast or host 192.168.1.2 and not arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fxp1, link-type EN10MB (Ethernet), capture size 96 bytes 14:41:54.026011 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:11:11:94:72:76, length: 548 14:41:54.026534 IP 192.168.1.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length: 351 the dhcp server sends the client an answer, even though ipfw seems to reject the packet. Is there any way to block the dhcprequest from reaching the dhcp server ? tcpdump version 3.8.3 isc-dhcp3-server-3.0.2_7 FreeBSD lizard 5.4-RC2 FreeBSD 5.4-RC2 best regards Thomas Vogt From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 22 16:28:21 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1907316A4CF for ; Fri, 22 Apr 2005 16:28:21 +0000 (GMT) Received: from mailhost.stack.nl (vaak.stack.nl [131.155.140.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76A4043D2D for ; Fri, 22 Apr 2005 16:28:20 +0000 (GMT) (envelope-from dean@dragon.stack.nl) Received: from dragon.stack.nl (dragon.stack.nl [IPv6:2001:610:1108:5011:207:e9ff:fe09:230]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailhost.stack.nl (Postfix) with ESMTP id 6EC961F44C; Fri, 22 Apr 2005 18:28:19 +0200 (CEST) Received: by dragon.stack.nl (Postfix, from userid 1600) id 3D7DF5F157; Fri, 22 Apr 2005 18:28:19 +0200 (CEST) Date: Fri, 22 Apr 2005 18:28:19 +0200 From: Dean Strik To: Thomas Vogt Message-ID: <20050422162819.GA7252@dragon.stack.nl> References: <1114183217.35367.2.camel@bert.mlan.solnet.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1114183217.35367.2.camel@bert.mlan.solnet.ch> X-Editor: VIM Rulez! http://www.vim.org/ X-MUD: Outerspace - telnet://mud.stack.nl:3333 X-Really: Yes User-Agent: Mutt/1.5.9i cc: ipfw@freebsd.org Subject: Re: blocking dhcp requests X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Apr 2005 16:28:21 -0000 Thomas Vogt wrote: > I have a problem concerning ipfw and dhcp. > I am trying to block dhcp request which are sent to my host. > but the dhcp server replys even though my firewall rule matches. > > the dhcp server sends the client an answer, even though ipfw seems to > reject the packet. > Is there any way to block the dhcprequest from reaching the dhcp > server ? I guess not, since dhcpd uses BPF directly (like tcpdump). Any access control will have to be done inside dhcpd.conf. -- Dean C. Strik Eindhoven University of Technology dean@stack.nl | dean@ipnet6.org | http://www.ipnet6.org/ "This isn't right. This isn't even wrong." -- Wolfgang Pauli