From owner-freebsd-ipfw@FreeBSD.ORG Mon May 9 07:40:22 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50F9516A4E7 for ; Mon, 9 May 2005 07:40:22 +0000 (GMT) Received: from enzo.justhostit.net (enzo.justhostit.net [69.93.203.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCBF243D77 for ; Mon, 9 May 2005 07:40:21 +0000 (GMT) (envelope-from melvin@skcventure.com) Received: (qmail 32268 invoked from network); 9 May 2005 07:40:21 -0000 Received: from unknown (HELO SCAGLIETTI) (219.95.52.2) by enzo.justhostit.net with (AES256-SHA encrypted) SMTP; 9 May 2005 07:40:20 -0000 Date: Mon, 9 May 2005 15:40:31 +0800 From: Melvin Foong X-Mailer: The Bat! (v3.0.2.4 Rush) Professional Organization: SKC Venture Sdn. Bhd. X-Priority: 3 (Normal) Message-ID: <1664113357.20050509154031@skcventure.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-md5"; boundary="----------1C623B3156A864" Subject: Connection drop since upgrade to 5.3 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Melvin Foong List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2005 07:40:22 -0000 ------------1C623B3156A864 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hello freebsd-ipfw, I am using FreeBSD as a network router to connect to the internet. Was running 5.2.1 and had upgraded to version 5.3. After the upgrade. SSH and MSN disconnects randomly if left idle. This does not happen when version 5.2.1 Current set up is ipfilter + ipfw. IPF is compiled to the kernel while ipfw is loaded with kldload. FTP can't be used because of the forward rule that I had previously refuse to work in 5.3 without compiling it to the kernel. How do I go by this? I cannot seem to find the relevant information regarding this in the list, maybe I did not find properly. Any pointers would be appreaciated. --=20 Best regards, Melvin Foong ------------1C623B3156A864 Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6 iQEVAwUAQn8T7qlkcg8yITGrAQHDdQf/aTm3CtMxUtN9NmuOmrhsBUtyuuoNkZmD RcaIarO3e0JsZJjVL2Kzz/tqkaaSxgwWm+hPEuHKXaQSRTXDnpRueV4yG4Rl/uXr +ATOwWuXT+hBcI7KlSeGMzZ9uZdP8wt3XsMHlT7yKOdH83Mae8pxOgGOg9ySHPx2 RJR97qhuf4ieEjEPdU8kXlQ4/G8F9tdRo3c0gWiAw8sxuzj/Tzf+bvDKyYZ4cRrz gRfD0MLuC0e9HoEk5uGGNXzkEHki1LITV1R9/2e0GKYYbdSvCn4aR/lClQJH8Y9N IY+H/FyAD4yJxrh+BhdnCGeXZSQIB2oHpH3CgrfEc0tSJj/4bxCCeg== =dy7X -----END PGP MESSAGE----- ------------1C623B3156A864-- From owner-freebsd-ipfw@FreeBSD.ORG Mon May 9 11:02:26 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A766216A4E8 for ; Mon, 9 May 2005 11:02:26 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 880E243D9E for ; Mon, 9 May 2005 11:02:26 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j49B2PqA098175 for ; Mon, 9 May 2005 11:02:25 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j49B2OCN098169 for ipfw@freebsd.org; Mon, 9 May 2005 11:02:24 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 9 May 2005 11:02:24 GMT Message-Id: <200505091102.j49B2OCN098169@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2005 11:02:26 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 9 11:31:55 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90EAF16A4E8 for ; Mon, 9 May 2005 11:31:55 +0000 (GMT) Received: from smtp-vbr6.xs4all.nl (smtp-vbr6.xs4all.nl [194.109.24.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4B8643D70 for ; Mon, 9 May 2005 11:31:54 +0000 (GMT) (envelope-from bts@iae.nl) Received: from mail6.btsoftware.com (www.btsoftware.nl [213.84.82.9]) by smtp-vbr6.xs4all.nl (8.12.11/8.12.11) with SMTP id j49BVpGB053265 for ; Mon, 9 May 2005 13:31:52 +0200 (CEST) (envelope-from bts@iae.nl) Received: from btsoftware.com (btsoftware.com [192.168.0.1] ) by mail6.btsoftware.com (Hethmon Brothers Smtpd) ; Mon, 9 May 2005 13:31:11 +0100 Message-Id: <200505091331.1127380.6@mail6.btsoftware.com> From: "Martin" To: "ipfw@freebsd.org" Date: Mon, 09 May 2005 13:31:06 +0200 (CEST) Priority: Normal X-Mailer: PMMail 2.20.2382 for OS/2 Warp 4.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Virus-Scanned: by XS4ALL Virus Scanner Subject: IPFW status X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Martin List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2005 11:31:55 -0000 Dear all, Based on the amount of still outstanding (serious) bugs and my own experiences with IPFW in 5.3, I'm getting some doubts about the stability and (near) future & develoment of IPFW. My problems with IPFW in 5.3: - Forwarding not working in 5.3 - Statistics do not seem to be correct (or maybe packets do not pass the rules properly). With 4.8 IPFW did not have the above mentioned problems. Please advise. Thanks, Martin From owner-freebsd-ipfw@FreeBSD.ORG Mon May 9 11:47:53 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D45416A4E7 for ; Mon, 9 May 2005 11:47:53 +0000 (GMT) Received: from www1.kopek.net (kopek.net [62.70.18.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 032D243D9D for ; Mon, 9 May 2005 11:47:53 +0000 (GMT) (envelope-from oivind.danielsen@kopek.net) Received: from 213-187-164-30.dd.nextgentel.com ([213.187.164.30] helo=[127.0.0.1]) by www1.kopek.net with esmtp (Exim 3.35 #1 (Debian)) id 1DV6jn-0006WD-00 for ; Mon, 09 May 2005 13:47:51 +0200 Message-ID: <427F4DE5.60407@kopek.net> Date: Mon, 09 May 2005 13:47:49 +0200 From: "Oivind H. Danielsen" User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "ipfw@freebsd.org" Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfw2 panic: free: multiple frees in lookup_dyn_rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2005 11:47:53 -0000 Hello. I would just like to add a "me too" on this report: http://lists.freebsd.org/pipermail/freebsd-questions/2004-December/067195.html The box (4.8-p25) has been running as a 3-way bridge/firewall for over 200 days without crashing, so it will probably be hard to reproduce. I have full crash dumps w/debug kernel, though. I couldn't find a PR for this, neither could I find any fixes in the cvs repository. Should I file a new PR? Best Regards, Oivind H. Danielsen From owner-freebsd-ipfw@FreeBSD.ORG Mon May 9 15:49:32 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FF1416A4E8; Mon, 9 May 2005 15:49:32 +0000 (GMT) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92E2543D86; Mon, 9 May 2005 15:49:31 +0000 (GMT) (envelope-from eugen@www.svzserv.kemerovo.su) Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1]) j49FnU46040106; Mon, 9 May 2005 23:49:30 +0800 (KRAST) (envelope-from eugen@www.svzserv.kemerovo.su) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.13.3/8.13.3/Submit) id j49FnUbC040105; Mon, 9 May 2005 23:49:30 +0800 (KRAST) (envelope-from eugen) Date: Mon, 9 May 2005 23:49:30 +0800 From: Eugene Grosbein To: bug-followup@freebsd.org Message-ID: <20050509154930.GA40037@svzserv.kemerovo.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i cc: ipfw@freebsd.org cc: doc@freebsd.org Subject: Re: docs/59835: ipfw(8) man page does not warn about accepted but meaningless rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2005 15:49:32 -0000 Hi! The problem is still here for 5.4-STABLE: http://www.freebsd.org/cgi/query-pr.cgi?pr=docs/59835 Eugene Grosbein From owner-freebsd-ipfw@FreeBSD.ORG Tue May 10 06:36:43 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 988DD16A511 for ; Tue, 10 May 2005 06:36:43 +0000 (GMT) Received: from venus.slicmedia.com (dsl-202-173-145-174.qld.westnet.com.au [202.173.145.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id F208243D39 for ; Tue, 10 May 2005 06:36:41 +0000 (GMT) (envelope-from simon@quo.com.au) Received: from [192.168.1.150] ([192.168.1.150]) by venus.slicmedia.com (Merak 5.4.2) with ESMTP id KOB36964; Tue, 10 May 2005 16:46:46 +1000 Message-ID: <42805673.2070401@quo.com.au> Date: Tue, 10 May 2005 16:36:35 +1000 From: Simon Litchfield User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: Joshua Paech Subject: IPFW2 statefulness over bridge? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2005 06:36:43 -0000 Hi. We've noticed ipfw2 doesnt seem to maintain state on outgoing connections over our bridge (running 5.3 generic). A similar configuration worked fine using pf on openbsd. Are we missing something? Here's the guts of our rule script -- .... some init stuff here ..... # allow arps (oh yeah, this is important) ipfw add allow layer2 mac-type arp # deny spurious source addresses and spoof attempts ipfw add deny log all from $addr_rfc1918 to any in via $ext_if ipfw add deny log all from any to $addr_rfc1918 out via $ext_if ipfw add deny log all from 'table(0)' to any in via $ext_if ipfw add deny log all from any to 'table(0)' out via $ext_if ipfw add deny log all from me to any in via $ext_if # deny illegal TCP flag combinations ipfw add deny log tcp from any to any tcpflags fin,urg,psh ipfw add deny log tcp from any to any tcpflags syn,fin,rst,ack ipfw add deny log tcp from any to any tcpflags '!syn,!fin,!ack' .... a bunch of allows for the usual tcp/udp ports like 80 etc to various servers 'inside' the bridged network go here .... # leave the inside of the firewall open ipfw add allow layer2 via $int_if # allow loopback ipfw add allow ip from 127.0.0.0/8 to 127.0.0.0/8 # allow firewalled address to make any outgoing connections ipfw add allow ip from 'table(0)' to any setup keep-state ipfw add allow ip from me to any setup keep-state # firewalling UDP is pretty pointless ipfw add allow udp from any to any # final denys ipfw add allow icmp from any to any ipfw add allow tcp from any to any setup keep-state ipfw add allow ip from any to any etup keep-state ipfw add reset tcp from any to any ipfw add unreach port udp from any to any ipfw add deny log ip from any to any -- Quo Consulting info@quo.com.au http://www.quo.com.au/ Phone +61 (0)7 5520 2665 Fax +61 (0)2 8569 2377 Level 3 : Old Burleigh Theatre Arcade 66 Goodwin Terrace : Burleigh Heads Queensland : Australia From owner-freebsd-ipfw@FreeBSD.ORG Tue May 10 12:35:12 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE58A16A4CE for ; Tue, 10 May 2005 12:35:12 +0000 (GMT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80E1D43D5A for ; Tue, 10 May 2005 12:35:12 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j4ACZBcu087044; Tue, 10 May 2005 05:35:12 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j4ACZ4LB087026; Tue, 10 May 2005 05:35:04 -0700 (PDT) (envelope-from rizzo) Date: Tue, 10 May 2005 05:35:04 -0700 From: Luigi Rizzo To: Simon Litchfield Message-ID: <20050510053504.A86392@xorpc.icir.org> References: <42805673.2070401@quo.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <42805673.2070401@quo.com.au>; from simon@quo.com.au on Tue, May 10, 2005 at 04:36:35PM +1000 cc: freebsd-ipfw@freebsd.org cc: Joshua Paech Subject: Re: IPFW2 statefulness over bridge? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2005 12:35:12 -0000 without looking into the detail, for which 1) i don't have time and 2) you haven't posted enough information (we'd need the complete ruleset and counter values and interfaces you yse to be sure what is going on), the use of "via" options is almost always incorrect in ipfw configurations (due to bad examples that are cut&pasted out of context), and the use of "via" and "out" options in bridged ipfw configuration is _always_ wrong. The latter is documented in the manpage so there is no excuse :) You should check which rule actually matches your outgoing packets. Almost surely you are accepting the packet at a rule before the 'keep-state' -- e.g. the > .... a bunch of allows for the usual tcp/udp ports like 80 etc to could be the place where this happens. Anyways i would suggest you to look at each rule and ask yourself - what does this rule do ? (answer generally on the manpage) - do i really want this 'via' or 'in' or 'out' option ? and so on. cheers luigi On Tue, May 10, 2005 at 04:36:35PM +1000, Simon Litchfield wrote: > Hi. We've noticed ipfw2 doesnt seem to maintain state on outgoing > connections over our bridge (running 5.3 generic). A similar > configuration worked fine using pf on openbsd. > > Are we missing something? Here's the guts of our rule script -- > > .... some init stuff here ..... > > # allow arps (oh yeah, this is important) > ipfw add allow layer2 mac-type arp > > # deny spurious source addresses and spoof attempts > ipfw add deny log all from $addr_rfc1918 to any in via $ext_if > ipfw add deny log all from any to $addr_rfc1918 out via $ext_if > ipfw add deny log all from 'table(0)' to any in via $ext_if > ipfw add deny log all from any to 'table(0)' out via $ext_if > ipfw add deny log all from me to any in via $ext_if > > # deny illegal TCP flag combinations > ipfw add deny log tcp from any to any tcpflags fin,urg,psh > ipfw add deny log tcp from any to any tcpflags syn,fin,rst,ack > ipfw add deny log tcp from any to any tcpflags '!syn,!fin,!ack' > > .... a bunch of allows for the usual tcp/udp ports like 80 etc to > various servers 'inside' the bridged network go here .... > > # leave the inside of the firewall open > ipfw add allow layer2 via $int_if > > # allow loopback > ipfw add allow ip from 127.0.0.0/8 to 127.0.0.0/8 > > # allow firewalled address to make any outgoing connections > ipfw add allow ip from 'table(0)' to any setup keep-state > ipfw add allow ip from me to any setup keep-state > > # firewalling UDP is pretty pointless > ipfw add allow udp from any to any > > # final denys > ipfw add allow icmp from any to any > > ipfw add allow tcp from any to any setup keep-state > ipfw add allow ip from any to any etup keep-state > > ipfw add reset tcp from any to any > ipfw add unreach port udp from any to any > ipfw add deny log ip from any to any > > > -- > > Quo Consulting > info@quo.com.au > http://www.quo.com.au/ > > Phone +61 (0)7 5520 2665 > Fax +61 (0)2 8569 2377 > > Level 3 : Old Burleigh Theatre Arcade > 66 Goodwin Terrace : Burleigh Heads > Queensland : Australia > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue May 10 13:21:20 2005 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1472D16A4CE; Tue, 10 May 2005 13:21:20 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E190843D5E; Tue, 10 May 2005 13:21:19 +0000 (GMT) (envelope-from arved@FreeBSD.org) Received: from freefall.freebsd.org (arved@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4ADLJal051613; Tue, 10 May 2005 13:21:19 GMT (envelope-from arved@freefall.freebsd.org) Received: (from arved@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4ADLJEb051609; Tue, 10 May 2005 13:21:19 GMT (envelope-from arved) Date: Tue, 10 May 2005 13:21:19 GMT From: Tilman Linneweh Message-Id: <200505101321.j4ADLJEb051609@freefall.freebsd.org> To: arved@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Subject: Re: kern/76971: ipfw antispoof incorrectly blocks broadcasts X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2005 13:21:20 -0000 Synopsis: ipfw antispoof incorrectly blocks broadcasts Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: arved Responsible-Changed-When: Tue May 10 13:20:47 GMT 2005 Responsible-Changed-Why: Over to freebsd-ipfw mailinglist http://www.freebsd.org/cgi/query-pr.cgi?pr=76971 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 10 13:50:50 2005 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 01B7116A4CE; Tue, 10 May 2005 13:50:50 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C201143D7B; Tue, 10 May 2005 13:50:49 +0000 (GMT) (envelope-from arved@FreeBSD.org) Received: from freefall.freebsd.org (arved@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4ADonwm053838; Tue, 10 May 2005 13:50:49 GMT (envelope-from arved@freefall.freebsd.org) Received: (from arved@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4ADonjj053834; Tue, 10 May 2005 13:50:49 GMT (envelope-from arved) Date: Tue, 10 May 2005 13:50:49 GMT From: Tilman Linneweh Message-Id: <200505101350.j4ADonjj053834@freefall.freebsd.org> To: arved@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Subject: Re: kern/73276: ipfw2 vulnerability (parser error) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2005 13:50:50 -0000 Synopsis: ipfw2 vulnerability (parser error) Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: arved Responsible-Changed-When: Tue May 10 13:50:30 GMT 2005 Responsible-Changed-Why: Over to ipfw mailinglist http://www.freebsd.org/cgi/query-pr.cgi?pr=73276 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 10 17:00:59 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A59CC16A4CE for ; Tue, 10 May 2005 17:00:59 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2EB1D43D8C for ; Tue, 10 May 2005 17:00:59 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so1967332wri for ; Tue, 10 May 2005 10:00:58 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Q0zVmm2SQSDlnjtIynBmPEPsRSkhxhvMenhg1wEVo//h76J/jdWjwBGL80Iurj4IJR2kqR3Z82Ddps6Ny5VcQaFTebNp5rxcAHJ3Tu5dRJDuEwdr1/KR9NZEGLsQXJd1nzDf5SjSAAEy/8UTI/FxQWs47IF+f6c7LEXfmT/dQN4= Received: by 10.54.3.6 with SMTP id 6mr626121wrc; Tue, 10 May 2005 10:00:58 -0700 (PDT) Received: by 10.54.39.6 with HTTP; Tue, 10 May 2005 10:00:58 -0700 (PDT) Message-ID: <8eea04080505101000d1180ce@mail.gmail.com> Date: Tue, 10 May 2005 10:00:58 -0700 From: Jon Simola To: freebsd-ipfw@freebsd.org In-Reply-To: <200505101350.j4ADonjj053834@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200505101350.j4ADonjj053834@freefall.freebsd.org> Subject: Re: kern/73276: ipfw2 vulnerability (parser error) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2005 17:00:59 -0000 On 5/10/05, Tilman Linneweh wrote: > Synopsis: ipfw2 vulnerability (parser error) >=20 > Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw > Responsible-Changed-By: arved > Responsible-Changed-When: Tue May 10 13:50:30 GMT 2005 > Responsible-Changed-Why: > Over to ipfw mailinglist >=20 > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D73276 More accurately, anything after the closing '}' is ignored by the parser. I'm pretty sure this fixes that. --- ipfw2.c.orig Tue May 10 08:45:12 2005 +++ ipfw2.c Tue May 10 09:53:08 2005 @@ -2088,8 +2088,11 @@ i =3D -1; if (*s =3D=3D '-') i =3D a; - else if (*s =3D=3D '}') + else if (*s =3D=3D '}') { + if (strlen(s) > 1) + errx(EX_DATAERR, "trailing garbage after '}= '"); break; + } av =3D s+1; } return; --=20 Jon Simola Systems Administrator ABC Communications From owner-freebsd-ipfw@FreeBSD.ORG Tue May 10 18:50:07 2005 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2B1C16A4D1 for ; Tue, 10 May 2005 18:50:07 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9526C43D31 for ; Tue, 10 May 2005 18:50:07 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4AIo75U094517 for ; Tue, 10 May 2005 18:50:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4AIo7SX094516; Tue, 10 May 2005 18:50:07 GMT (envelope-from gnats) Date: Tue, 10 May 2005 18:50:07 GMT Message-Id: <200505101850.j4AIo7SX094516@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Jon Simola Subject: Re: kern/73276: ipfw2 vulnerability (parser error) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jon Simola List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2005 18:50:08 -0000 The following reply was made to PR kern/73276; it has been noted by GNATS. From: Jon Simola To: bug-followup@freebsd.org Cc: Subject: Re: kern/73276: ipfw2 vulnerability (parser error) Date: Tue, 10 May 2005 11:45:55 -0700 On 5/10/05, Tilman Linneweh wrote: > Synopsis: ipfw2 vulnerability (parser error) >=20 > Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw > Responsible-Changed-By: arved > Responsible-Changed-When: Tue May 10 13:50:30 GMT 2005 > Responsible-Changed-Why: > Over to ipfw mailinglist >=20 > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D73276 More accurately, anything after the closing '}' is ignored by the parser. I'm pretty sure this fixes that. --- ipfw2.c.orig Tue May 10 08:45:12 2005 +++ ipfw2.c Tue May 10 09:53:08 2005 @@ -2088,8 +2088,11 @@ i =3D -1; if (*s =3D=3D '-') i =3D a; - else if (*s =3D=3D '}') + else if (*s =3D=3D '}') { + if (strlen(s) > 1) + errx(EX_DATAERR, "trailing garbage after '}= '"); break; + } av =3D s+1; } return; --=20 Jon Simola Systems Administrator ABC Communications From owner-freebsd-ipfw@FreeBSD.ORG Tue May 10 21:36:53 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16F9616A4CE for ; Tue, 10 May 2005 21:36:53 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 95C9E43D41 for ; Tue, 10 May 2005 21:36:52 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so2054649wri for ; Tue, 10 May 2005 14:36:52 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=H6qajMxAaMPm9DgTp89oUljdM7i4WBnnzR/XqnNauGMPYx8pzsISPRn0BSt92UaTanLT3tuF1kBA58ESGG9QDjBs+pvWaWsAop7hEkPjn1MCZltXOuBo7UGJQbS0hmYvDxZQFXwzhWAFAvwGyLf8wz9eWbqpQfWb7sL/oR1p1E4= Received: by 10.54.149.20 with SMTP id w20mr758966wrd; Tue, 10 May 2005 14:36:52 -0700 (PDT) Received: by 10.54.39.6 with HTTP; Tue, 10 May 2005 14:36:52 -0700 (PDT) Message-ID: <8eea04080505101436289b58e7@mail.gmail.com> Date: Tue, 10 May 2005 14:36:52 -0700 From: Jon Simola To: freebsd-ipfw@freebsd.org, Joshua Paech In-Reply-To: <42805673.2070401@quo.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <42805673.2070401@quo.com.au> Subject: Re: IPFW2 statefulness over bridge? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2005 21:36:53 -0000 On 5/9/05, Simon Litchfield wrote: > Hi. We've noticed ipfw2 doesnt seem to maintain state on outgoing > connections over our bridge (running 5.3 generic). A similar > configuration worked fine using pf on openbsd. >=20 > Are we missing something? Here's the guts of our rule script -- ipfw bridges only get one chance at the packet, because the bdg_forward path does not have anything similar to ether_output. You can't firewall packets on their way out of your bridge, only on the way in. So via doesn't make sense, and "in recv" might make some sense depending on what you're trying to do. See the diagram in ipfw(8) for details. > # allow arps (oh yeah, this is important) > ipfw add allow layer2 mac-type arp You might want to rewrite your ruleset to split off the layer2 and layer3 rules, otherwise (depending on your config) each packet will pass through the entire ruleset twice. Once at layer2, and again at layer3. Passes at layer2 won't match any rules that don't specify "layer2" on the rule, and MAC matching doesn't make sense at layer3. --=20 Jon Simola Systems Administrator ABC Communications From owner-freebsd-ipfw@FreeBSD.ORG Wed May 11 15:37:58 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 63D8316A4CE for ; Wed, 11 May 2005 15:37:58 +0000 (GMT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3659143D49 for ; Wed, 11 May 2005 15:37:58 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j4BFbvt2011078; Wed, 11 May 2005 08:37:57 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j4BFbrGX011077; Wed, 11 May 2005 08:37:53 -0700 (PDT) (envelope-from rizzo) Date: Wed, 11 May 2005 08:37:53 -0700 From: Luigi Rizzo To: Martin Message-ID: <20050511083753.E9102@xorpc.icir.org> References: <200505091331.1127380.6@mail6.btsoftware.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200505091331.1127380.6@mail6.btsoftware.com>; from bts@iae.nl on Mon, May 09, 2005 at 01:31:06PM +0200 cc: "ipfw@freebsd.org" Subject: Re: IPFW status X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 May 2005 15:37:58 -0000 can you be more specific and provide configurations that exhibit the problems you report ? Also i assume you are using ipfw2 on 4.8 too... cheers luigi On Mon, May 09, 2005 at 01:31:06PM +0200, Martin wrote: > Dear all, > > Based on the amount of still outstanding (serious) bugs and my own > experiences with IPFW in 5.3, I'm getting some doubts about the > stability and (near) future & develoment of IPFW. > > My problems with IPFW in 5.3: > - Forwarding not working in 5.3 > - Statistics do not seem to be correct (or maybe packets do not pass the rules properly). > > With 4.8 IPFW did not have the above mentioned problems. > > Please advise. > > Thanks, > > Martin > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu May 12 11:12:08 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1875116A4CE for ; Thu, 12 May 2005 11:12:08 +0000 (GMT) Received: from gkm.sumy.ua (gkm.sm.chereda.net [193.110.17.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42A4843D64 for ; Thu, 12 May 2005 11:12:06 +0000 (GMT) (envelope-from anton@abutsyk.sumy.ua) Received: (qmail 68440 invoked by uid 0); 12 May 2005 11:12:03 -0000 Received: from admin.gkm.sumy.ua (HELO admin) (10.3.0.1) by gkm.sumy.ua with SMTP; 12 May 2005 11:12:03 -0000 X-AntiVirus: Checked by Dr.Web [version: 4.32b, engine: 4.32b, virus records: 74047, updated: 11.05.2005] Message-ID: <00a901c556e3$766ae8d0$0100030a@admin> From: "Anton Butsyk" To: Date: Thu, 12 May 2005 14:12:18 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: syn scan X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2005 11:12:08 -0000 Dear all, Is it possible to detect and/or disable nmap SYN scan with ipfw? I've added rule follow below, it catchs some packets from nmap but not all deny tcp from any to me dst-port 22,25,53,80,443 \ tcpflags syn,!fin,!ack,!psh,!rst,!urg \ tcpoptions mss,window,!sack,ts,!cc may be is't rigth way to intrusion detection/prevention system, may be snort? Thanks, bam From owner-freebsd-ipfw@FreeBSD.ORG Thu May 12 13:12:43 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D51B16A4CE for ; Thu, 12 May 2005 13:12:43 +0000 (GMT) Received: from smtp.freemail.gr (smtp.freemail.gr [213.239.180.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED48A43D3F for ; Thu, 12 May 2005 13:12:42 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: by smtp.freemail.gr (Postfix, from userid 101) id 52936BC0FE; Thu, 12 May 2005 16:12:41 +0300 (EEST) Received: from R3B (vdp2048.ath03.dsl.hol.gr [62.38.169.49])by smtp.freemail.gr (Postfix) with ESMTP id 44B4FBC0ECfor ; Thu, 12 May 2005 16:12:29 +0300 (EEST) Message-ID: <006501c556f4$371a3300$0100000a@R3B> From: "Chris Dionissopoulos" To: References: <00a901c556e3$766ae8d0$0100030a@admin> Date: Thu, 12 May 2005 16:11:44 +0300 MIME-Version: 1.0 Content-Type: text/plain;format=flowed;charset="koi8-r";reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: Re: syn scan X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Chris Dionissopoulos List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2005 13:12:43 -0000 > Is it possible to detect and/or disable nmap SYN scan with ipfw? > I've added rule follow below, it catchs some packets from nmap but not all > > deny tcp from any to me dst-port 22,25,53,80,443 \ > tcpflags > syn,!fin,!ack,!psh,!rst,!urg > \ > tcpoptions mss,window,!sack,ts,!cc > may be is't rigth way to intrusion detection/prevention system, may be > snort? > Try snort + snortsam (ipfw2) plugin. http://www.snortsam.net/ ____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking. From owner-freebsd-ipfw@FreeBSD.ORG Fri May 13 09:15:16 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6411F16A4CE for ; Fri, 13 May 2005 09:15:16 +0000 (GMT) Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A0F143D67 for ; Fri, 13 May 2005 09:15:16 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix3-2.free.fr (Postfix) with ESMTP id 0ACB2C082; Fri, 13 May 2005 11:15:14 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id B22F3405A; Fri, 13 May 2005 11:15:15 +0200 (CEST) Date: Fri, 13 May 2005 11:15:15 +0200 From: Jeremie Le Hen To: Anton Butsyk Message-ID: <20050513091515.GC667@obiwan.tataz.chchile.org> References: <00a901c556e3$766ae8d0$0100030a@admin> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00a901c556e3$766ae8d0$0100030a@admin> User-Agent: Mutt/1.5.9i cc: freebsd-ipfw@freebsd.org Subject: Re: syn scan X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2005 09:15:16 -0000 Hi Anton, > Dear all, > > Is it possible to detect and/or disable nmap SYN scan with ipfw? > I've added rule follow below, it catchs some packets from nmap but not all > > deny tcp from any to me dst-port 22,25,53,80,443 \ > tcpflags syn,!fin,!ack,!psh,!rst,!urg\ > tcpoptions mss,window,!sack,ts,!cc nmap SYN scan don't use TCP options at all IIRC. MSS and TS are very common these days, so I guess you could drop TCP SYN packets which don't have one of those. Be warned nevertheless that some older systems might not be able to establish a connection anymore. I think the correct way to do this is indeed using an IDS. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-ipfw@FreeBSD.ORG Fri May 13 16:57:23 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B07C16A4CE for ; Fri, 13 May 2005 16:57:23 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2597B43D39 for ; Fri, 13 May 2005 16:57:23 +0000 (GMT) (envelope-from dwi.amk@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so934620wri for ; Fri, 13 May 2005 09:57:22 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=STkQt5WBg/WaenrcNLC+DskuqPbERhQhUTRQxXChhq6dCYT2abzRu8GU5DAaHfZioPd4jWzJYLO7w0cJ1OZtasYaZvjMxwlacLOoCYCorzwZn3ObManBbD7/pX+sYnfx21LZzP45pB9S5p9/9vXs6zOwAv//pvMm0VqTU/Fun04= Received: by 10.54.44.46 with SMTP id r46mr1797450wrr; Fri, 13 May 2005 09:57:22 -0700 (PDT) Received: by 10.54.53.32 with HTTP; Fri, 13 May 2005 09:57:22 -0700 (PDT) Message-ID: <6917ef380505130957479e6134@mail.gmail.com> Date: Fri, 13 May 2005 23:57:22 +0700 From: dwi amk To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: natd connection limit per host X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dwi amk List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2005 16:57:23 -0000 Hi, I need to know how to set maximum nat'ed connection per host, let's say 10 or 15 nat'ed connections per host like in WinRoute NatConnLimitPerHost entry in registry. TIA --=20 ::DAMK:: From owner-freebsd-ipfw@FreeBSD.ORG Fri May 13 17:50:58 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21A2F16A4CE for ; Fri, 13 May 2005 17:50:58 +0000 (GMT) Received: from mail2.dbitech.ca (radius.wavefire.com [64.141.13.252]) by mx1.FreeBSD.org (Postfix) with SMTP id 9C31543D78 for ; Fri, 13 May 2005 17:50:57 +0000 (GMT) (envelope-from darcy@wavefire.com) Received: (qmail 6251 invoked from network); 13 May 2005 19:34:20 -0000 Received: from unknown (HELO ?64.141.15.12?) (64.141.15.12) by radius.wavefire.com with SMTP; 13 May 2005 19:34:20 -0000 From: Darcy Buskermolen Organization: Wavefire Technologies Corp To: freebsd-ipfw@freebsd.org, dwi amk Date: Fri, 13 May 2005 10:51:55 -0700 User-Agent: KMail/1.8 References: <6917ef380505130957479e6134@mail.gmail.com> In-Reply-To: <6917ef380505130957479e6134@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200505131051.55892.darcy@wavefire.com> Subject: Re: natd connection limit per host X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2005 17:50:58 -0000 On Friday 13 May 2005 09:57, dwi amk wrote: > Hi, > > I need to know how to set maximum nat'ed connection per host, let's > say 10 or 15 nat'ed connections per host like in WinRoute > NatConnLimitPerHost entry in registry. This is easily handled by ipfw/dummynet > > > TIA -- Darcy Buskermolen Wavefire Technologies Corp. http://www.wavefire.com ph: 250.717.0200 fx: 250.763.1759 From owner-freebsd-ipfw@FreeBSD.ORG Sat May 14 03:59:40 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C7EF16A4CE for ; Sat, 14 May 2005 03:59:40 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id C105543D7B for ; Sat, 14 May 2005 03:59:39 +0000 (GMT) (envelope-from dwi.amk@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so1071998wri for ; Fri, 13 May 2005 20:59:39 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=HzJPl/gjVTK3TG+8hqyLf+SnhFmhYEkVD8zuntrw0pChKQ0FyJMZRgGd9b3+QeMegspZ/aUH3zyK8SX/Y9Gzfed5y52W2fLvHyyhHqiuxGDCPXbX0iBaXv2Tzse3hNH6Bmn1OHRCoYXTwBQjhM5pydP5PJ98CIWLOUupqhJAaQ8= Received: by 10.54.21.18 with SMTP id 18mr2095530wru; Fri, 13 May 2005 20:59:39 -0700 (PDT) Received: by 10.54.53.32 with HTTP; Fri, 13 May 2005 20:59:39 -0700 (PDT) Message-ID: <6917ef3805051320594810d4dd@mail.gmail.com> Date: Sat, 14 May 2005 10:59:39 +0700 From: dwi amk To: Darcy Buskermolen In-Reply-To: <200505131051.55892.darcy@wavefire.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <6917ef380505130957479e6134@mail.gmail.com> <200505131051.55892.darcy@wavefire.com> cc: freebsd-ipfw@freebsd.org Subject: Re: natd connection limit per host X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dwi amk List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 May 2005 03:59:40 -0000 Thanks for quick reply, but that's not exactly what i want to do right now. I want to limit not the bandwidth use, but the maximum number a host can do NAT. It's like a user can connect to max 2 IRC server and do max 3 DCC and 1 Messenger, that he can connect to max 6 NAT connection. How can we do this by ipfw?