From owner-freebsd-ipfw@FreeBSD.ORG Sun May 15 16:32:29 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FA4E16A4CE for ; Sun, 15 May 2005 16:32:29 +0000 (GMT) Received: from smtpauth01.mail.atl.earthlink.net (smtpauth01.mail.atl.earthlink.net [209.86.89.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 003CF43D81 for ; Sun, 15 May 2005 16:32:28 +0000 (GMT) (envelope-from beaverm@corp.earthlink.net) Received: from [68.184.90.86] (helo=minime) by smtpauth01.mail.atl.earthlink.net with asmtp (Exim 4.34) id 1DXM2W-0003xc-3W for freebsd-ipfw@freebsd.org; Sun, 15 May 2005 12:32:28 -0400 From: "Mark Beaver" To: Date: Sun, 15 May 2005 12:32:26 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcVZa64Xl9AxbWKSTJqRZKychOrjWA== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 X-ELNK-Trace: 83936d1c7f8fa5c39649176a89d694c0f43c108795ac4507d1f31d2bd412faa6b3d8949a77dc2fb5350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 68.184.90.86 Message-Id: <20050515163229.003CF43D81@mx1.FreeBSD.org> Subject: Ipfw/natd Nice Level X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 May 2005 16:32:29 -0000 I'm curious if anyone has ever run natd at a negative nice level, if so how did you get it to stick at startup and were there any pros/cons of doing so? Thanks, Mark Beaver EarthLink Inc From owner-freebsd-ipfw@FreeBSD.ORG Mon May 16 11:01:53 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F20E16A4D2 for ; Mon, 16 May 2005 11:01:53 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0382343DB8 for ; Mon, 16 May 2005 11:01:53 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4GB1qBZ021247 for ; Mon, 16 May 2005 11:01:52 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4GB1piJ021241 for freebsd-ipfw@freebsd.org; Mon, 16 May 2005 11:01:51 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 16 May 2005 11:01:51 GMT Message-Id: <200505161101.j4GB1piJ021241@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 May 2005 11:01:53 -0000 Current FreeBSD problem reports Critical problems Serious problems Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca 2 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 16 11:02:36 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7319116A4CE for ; Mon, 16 May 2005 11:02:36 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D5A343DC3 for ; Mon, 16 May 2005 11:02:36 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4GB2avB021773 for ; Mon, 16 May 2005 11:02:36 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4GB2ZjR021767 for ipfw@freebsd.org; Mon, 16 May 2005 11:02:35 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 16 May 2005 11:02:35 GMT Message-Id: <200505161102.j4GB2ZjR021767@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 May 2005 11:02:36 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 16 15:50:47 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FA6B16A4CE for ; Mon, 16 May 2005 15:50:47 +0000 (GMT) Received: from mail2.dbitech.ca (radius.wavefire.com [64.141.13.252]) by mx1.FreeBSD.org (Postfix) with SMTP id 988A543DD2 for ; Mon, 16 May 2005 15:50:46 +0000 (GMT) (envelope-from darcy@wavefire.com) Received: (qmail 1127 invoked from network); 16 May 2005 17:34:46 -0000 Received: from unknown (HELO ?64.141.15.12?) (64.141.15.12) by radius.wavefire.com with SMTP; 16 May 2005 17:34:46 -0000 From: Darcy Buskermolen Organization: Wavefire Technologies Corp To: dwi amk Date: Mon, 16 May 2005 08:51:49 -0700 User-Agent: KMail/1.8 References: <6917ef380505130957479e6134@mail.gmail.com> <200505131051.55892.darcy@wavefire.com> <6917ef3805051320594810d4dd@mail.gmail.com> In-Reply-To: <6917ef3805051320594810d4dd@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200505160851.49793.darcy@wavefire.com> cc: freebsd-ipfw@freebsd.org Subject: Re: natd connection limit per host X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 May 2005 15:50:47 -0000 On Friday 13 May 2005 20:59, dwi amk wrote: > Thanks for quick reply, but that's not exactly what i want to do right > now. I want to limit not the bandwidth use, but the maximum number a > host can do NAT. It's like a user can connect to max 2 IRC server and > do max 3 DCC and 1 Messenger, that he can connect to max 6 NAT > connection. How can we do this by ipfw? limit {src-addr | src-port | dst-addr | dst-port} N The firewall will only allow N connections with the same set of parameters as specified in the rule. One or more of source and destination addresses and ports can be specified. -- Darcy Buskermolen Wavefire Technologies Corp. http://www.wavefire.com ph: 250.717.0200 fx: 250.763.1759 From owner-freebsd-ipfw@FreeBSD.ORG Wed May 18 16:52:02 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7760516A4CE for ; Wed, 18 May 2005 16:52:02 +0000 (GMT) Received: from mx1.enertiatech.com (h204-9-110-143.enertiatech.com [204.9.110.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA96E43D99 for ; Wed, 18 May 2005 16:52:01 +0000 (GMT) (envelope-from stephane@enertiasoft.com) Received: from localhost (localhost [127.0.0.1]) by mx1.enertiatech.com (Postfix) with ESMTP id 663826295 for ; Wed, 18 May 2005 10:51:05 -0600 (MDT) Received: from mx1.enertiatech.com ([127.0.0.1]) by localhost (mx1.enertiatech.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 80209-05 for ; Wed, 18 May 2005 10:50:48 -0600 (MDT) Received: from [10.0.0.34] (h10-0-0-34.enertiasoft.com [10.0.0.34]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.enertiatech.com (Postfix) with ESMTP id CD7B562AB for ; Wed, 18 May 2005 10:50:48 -0600 (MDT) Mime-Version: 1.0 (Apple Message framework v730) To: freebsd-ipfw@freebsd.org Message-Id: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> From: Stephane Raimbault Date: Wed, 18 May 2005 10:51:37 -0600 X-Mailer: Apple Mail (2.730) X-Virus-Scanned: amavisd-new at enertiasoft.com Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: named error sending response: permision denied X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 16:52:02 -0000 Hi, I've been noticing lots of errors in my /var/log/messages reporting named errors: May 18 06:45:14 enertia1 named[8320]: client 204.9.110.133#1829: error sending response: permission denied May 18 06:45:14 enertia1 named[8320]: client 204.9.110.133#1993: error sending response: permission denied May 18 06:45:19 enertia1 named[8320]: client 204.9.110.132#3123: error sending response: permission denied May 18 06:45:22 enertia1 named[8320]: client 204.9.110.143#61370: error sending response: permission denied May 18 06:46:21 enertia1 named[8320]: client 204.9.110.133#3529: error sending response: permission denied I also noticed these errors in my ipfw.log file: May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP 63.252.160.219:53 204.9.110.134:3371 in via vlan1 May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP 63.252.160.219:53 204.9.110.134:1420 in via vlan1 May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP 63.252.160.219:53 204.9.110.134:2961 in via vlan1 May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP 63.252.160.219:53 204.9.110.134:4701 in via vlan1 For some reason, it seems like ipfw is kaboshing some of the dns queries going thru the server. Queries seem to work as far as I can tell, but randomly I get the above error messags. I believe this is a fairly heavily loaded dns server amongst other services. Here are my ipfw rules for the dns: /etc/rc.firewall.rules fwcmd="/sbin/ipfw -q" ip2=204.9.110.134 ${fwcmd} add pass tcp from any to ${ip2} 53 setup ${fwcmd} add pass udp from any to ${ip2} 53 keep-state I'm suspecting I'm hitting some sort of tunable (hopefully) ipfw limit. Can anyone provide me some insight on this... I'm not having much look with google or looking in the list archives. This is on a FreeBSD 4.11 system. Thank you, Stephane From owner-freebsd-ipfw@FreeBSD.ORG Wed May 18 17:08:26 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3B1516A4CE for ; Wed, 18 May 2005 17:08:26 +0000 (GMT) Received: from mx1.enertiatech.com (h204-9-110-143.enertiatech.com [204.9.110.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BCDA43DD3 for ; Wed, 18 May 2005 17:08:26 +0000 (GMT) (envelope-from stephane@enertiasoft.com) Received: from localhost (localhost [127.0.0.1]) by mx1.enertiatech.com (Postfix) with ESMTP id C0D2262A1; Wed, 18 May 2005 11:07:35 -0600 (MDT) Received: from mx1.enertiatech.com ([127.0.0.1]) by localhost (mx1.enertiatech.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 80615-06; Wed, 18 May 2005 11:07:16 -0600 (MDT) Received: from [10.0.0.34] (h10-0-0-34.enertiasoft.com [10.0.0.34]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.enertiatech.com (Postfix) with ESMTP id 753A46290; Wed, 18 May 2005 11:07:14 -0600 (MDT) In-Reply-To: <1116435784.34699.23.camel@jose> References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> <1116435784.34699.23.camel@jose> Mime-Version: 1.0 (Apple Message framework v730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Stephane Raimbault Date: Wed, 18 May 2005 11:08:03 -0600 To: Jose Hidalgo X-Mailer: Apple Mail (2.730) X-Virus-Scanned: amavisd-new at enertiasoft.com cc: freebsd-ipfw@freebsd.org Subject: Re: named error sending response: permision denied X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 17:08:27 -0000 On 18-May-05, at 11:03 AM, Jose Hidalgo wrote: > On Wed, 2005-05-18 at 10:51 -0600, Stephane Raimbault wrote: > > >> I also noticed these errors in my ipfw.log file: >> >> May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP >> 63.252.160.219:53 204.9.110.134:3371 in via vlan1 >> May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP >> 63.252.160.219:53 204.9.110.134:1420 in via vlan1 >> May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP >> 63.252.160.219:53 204.9.110.134:2961 in via vlan1 >> May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP >> 63.252.160.219:53 204.9.110.134:4701 in via vlan1 >> > > > As you can see and according with the ACLs, you have > the problem when 204.9.110.134 is the client of > the dns queries. > > You may need to add > > ${fwcmd} add pass udp from ${ip2} to any 53 keep state > Actually... I already had this in another part of my ipfw rules ${fwcmd} add pass udp from ${ip2} to any 53 keep-state the server itself can also make dns requests out... however it still seems that requests (not all) are getting kaboshed by something. > or you may want to reduce the number of rules with: > > ${fwcmd} add pass udp from any to any 53 keep state > > -- > Jose Hidalgo > Corp. Hostarica S.A. > > From owner-freebsd-ipfw@FreeBSD.ORG Wed May 18 17:23:58 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E92A816A4CE for ; Wed, 18 May 2005 17:23:58 +0000 (GMT) Received: from mx.hostarica.com (www2.hostarica.com [196.40.45.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 57B1C43D7D for ; Wed, 18 May 2005 17:23:58 +0000 (GMT) (envelope-from jose@hostarica.com) Received: from localhost (localhost.hostarica.com [127.0.0.1]) by mx.hostarica.com (Postfix) with ESMTP id B7C47F882; Wed, 18 May 2005 11:02:24 -0600 (CST) Received: from jose (jose.hostarica.net [192.168.0.69]) by mx.hostarica.com (Postfix) with ESMTP id 6817EF6A9; Wed, 18 May 2005 11:02:23 -0600 (CST) From: Jose Hidalgo To: Stephane Raimbault In-Reply-To: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> Content-Type: text/plain Organization: Corp. Hostarica S.A. Date: Wed, 18 May 2005 11:03:04 -0600 Message-Id: <1116435784.34699.23.camel@jose> Mime-Version: 1.0 X-Mailer: Evolution 2.2.1.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd 0.1 cc: freebsd-ipfw@freebsd.org Subject: Re: named error sending response: permision denied X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 17:23:59 -0000 On Wed, 2005-05-18 at 10:51 -0600, Stephane Raimbault wrote: > I also noticed these errors in my ipfw.log file: > > May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP > 63.252.160.219:53 204.9.110.134:3371 in via vlan1 > May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP > 63.252.160.219:53 204.9.110.134:1420 in via vlan1 > May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP > 63.252.160.219:53 204.9.110.134:2961 in via vlan1 > May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP > 63.252.160.219:53 204.9.110.134:4701 in via vlan1 As you can see and according with the ACLs, you have the problem when 204.9.110.134 is the client of the dns queries. You may need to add ${fwcmd} add pass udp from ${ip2} to any 53 keep state or you may want to reduce the number of rules with: ${fwcmd} add pass udp from any to any 53 keep state -- Jose Hidalgo Corp. Hostarica S.A. From owner-freebsd-ipfw@FreeBSD.ORG Thu May 19 00:29:46 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0FAD416A4CE for ; Thu, 19 May 2005 00:29:46 +0000 (GMT) Received: from marvin.kset.org (marvin.kset.org [161.53.74.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id A53D643D7F for ; Thu, 19 May 2005 00:29:44 +0000 (GMT) (envelope-from dorijan@kset.org) Received: from insane (cmung2571.cmu.carnet.hr [192.168.1.214]) j4J0Tqfp002973 for ; Thu, 19 May 2005 02:29:52 +0200 Received: from placebo2.znet ([10.168.4.3]) by insane (602LAN SUITE 2004) id 32ccce1d for freebsd-ipfw@freebsd.org; Thu, 19 May 2005 2:25:53 +0200 Date: Thu, 19 May 2005 02:29:33 +0200 From: Dorijan Jelincic X-Mailer: The Bat! (v3.0.1.33) Professional Organization: FER X-Priority: 3 (Normal) Message-ID: <329363440.20050519022933@marvin.cc.fer.hr> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: problem compiling ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Dorijan Jelincic List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2005 00:29:46 -0000 Hello freebsd-ipfw, I have problem compiling ipfw from last cvs... also, since I upgraded my kernel dummynet is not working properly... things like ipfw pipe 1000 config bw 0 dont work anymore... free# ipfw pipe 1000 config bw 0 ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Invalid argument this worked before (in snapshot002) Warning: Object directory not changed from original /usr/src/sbin/ipfw cc -O2 -fno-strict-aliasing -pipe -c ipfw2.c ipfw2.c:1056: error: syntax error before '*' token ipfw2.c: In function `print_ip6': ipfw2.c:1059: error: `cmd' undeclared (first use in this function) ipfw2.c:1059: error: (Each undeclared identifier is reported only once ipfw2.c:1059: error: for each function it appears in.) ipfw2.c:1063: error: `s' undeclared (first use in this function) ipfw2.c:1065: error: `O_IP6_SRC_ME' undeclared (first use in this function) ipfw2.c:1065: error: `O_IP6_DST_ME' undeclared (first use in this function) ipfw2.c:1069: error: `O_IP6' undeclared (first use in this function) ipfw2.c:1082: error: `O_IP6_SRC' undeclared (first use in this function) ipfw2.c:1082: error: `O_IP6_DST' undeclared (first use in this function) ipfw2.c: At top level: ipfw2.c:1107: error: syntax error before '*' token ipfw2.c: In function `fill_icmp6types': ipfw2.c:1111: error: `cmd' undeclared (first use in this function) ipfw2.c:1112: error: `av' undeclared (first use in this function) ipfw2.c:1128: error: `O_ICMP6TYPE' undeclared (first use in this function) ipfw2.c:1129: error: `ipfw_insn_icmp6' undeclared (first use in this function) ipfw2.c: At top level: ipfw2.c:1165: error: `EXT_FRAGMENT' undeclared here (not in a function) ipfw2.c:1165: error: initializer element is not constant ipfw2.c:1165: error: (near initialization for `ext6hdrcodes[0].x') ipfw2.c:1165: error: initializer element is not constant ipfw2.c:1165: error: (near initialization for `ext6hdrcodes[0]') ipfw2.c:1166: error: `EXT_HOPOPTS' undeclared here (not in a function) ipfw2.c:1166: error: initializer element is not constant ipfw2.c:1166: error: (near initialization for `ext6hdrcodes[1].x') ipfw2.c:1166: error: initializer element is not constant ipfw2.c:1166: error: (near initialization for `ext6hdrcodes[1]') ipfw2.c:1167: error: `EXT_ROUTING' undeclared here (not in a function) ipfw2.c:1167: error: initializer element is not constant ipfw2.c:1167: error: (near initialization for `ext6hdrcodes[2].x') ipfw2.c:1167: error: initializer element is not constant ipfw2.c:1167: error: (near initialization for `ext6hdrcodes[2]') ipfw2.c:1168: error: `EXT_AH' undeclared here (not in a function) ipfw2.c:1168: error: initializer element is not constant ipfw2.c:1168: error: (near initialization for `ext6hdrcodes[3].x') ipfw2.c:1168: error: initializer element is not constant ipfw2.c:1168: error: (near initialization for `ext6hdrcodes[3]') ipfw2.c:1169: error: `EXT_ESP' undeclared here (not in a function) ipfw2.c:1169: error: initializer element is not constant ipfw2.c:1169: error: (near initialization for `ext6hdrcodes[4].x') ipfw2.c:1169: error: initializer element is not constant ipfw2.c:1169: error: (near initialization for `ext6hdrcodes[4]') ipfw2.c:1170: error: initializer element is not constant ipfw2.c:1170: error: (near initialization for `ext6hdrcodes[5]') ipfw2.c: In function `fill_ext6hdr': ipfw2.c:1213: error: `O_EXT_HDR' undeclared (first use in this function) ipfw2.c: In function `show_ipfw': ipfw2.c:1553: error: `O_IP6_SRC' undeclared (first use in this function) ipfw2.c:1554: error: `O_IP6_SRC_MASK' undeclared (first use in this function) ipfw2.c:1555: error: `O_IP6_SRC_ME' undeclared (first use in this function) ipfw2.c:1561: error: `ipfw_insn_ip6' undeclared (first use in this function) ipfw2.c:1561: error: syntax error before ')' token ipfw2.c:1566: error: `O_IP6_DST' undeclared (first use in this function) ipfw2.c:1567: error: `O_IP6_DST_MASK' undeclared (first use in this function) ipfw2.c:1568: error: `O_IP6_DST_ME' undeclared (first use in this function) ipfw2.c:1574: error: syntax error before ')' token ipfw2.c:1579: error: `O_FLOW6ID' undeclared (first use in this function) ipfw2.c:1813: error: `O_IP6' undeclared (first use in this function) ipfw2.c:1817: error: `O_ICMP6TYPE' undeclared (first use in this function) ipfw2.c:1821: error: `O_EXT_HDR' undeclared (first use in this function) ipfw2.c: In function `list_queues': ipfw2.c:1989: error: structure has no member named `flow_id6' ipfw2.c:1990: error: structure has no member named `src_ip6' ipfw2.c:1993: error: structure has no member named `dst_ip6' ipfw2.c:2008: error: structure has no member named `flow_id6' ipfw2.c:2009: error: structure has no member named `src_ip6' ipfw2.c:2012: error: structure has no member named `dst_ip6' ipfw2.c: At top level: ipfw2.c:2742: error: syntax error before '*' token ipfw2.c: In function `fill_ip6': ipfw2.c:2745: error: `cmd' undeclared (first use in this function) ipfw2.c:2753: error: `av' undeclared (first use in this function) ipfw2.c:2801: error: syntax error before "if" ipfw2.c:2806: error: `p' undeclared (first use in this function) ipfw2.c:2809: error: `masklen' undeclared (first use in this function) ipfw2.c:2818: error: continue statement not within a loop ipfw2.c:2826: error: break statement not within loop or switch ipfw2.c: At top level: ipfw2.c:2838: error: syntax error before '->' token ipfw2.c:2839: warning: parameter names (without types) in function declaration ipfw2.c:2839: error: conflicting types for 'free' /usr/include/stdlib.h:93: error: previous declaration of 'free' was here ipfw2.c:2839: error: conflicting types for 'free' /usr/include/stdlib.h:93: error: previous declaration of 'free' was here ipfw2.c:2839: warning: data definition has no type or storage class ipfw2.c:2840: error: syntax error before "return" *** Error code 1 -- "Put your hand on a hot stove for a minute, and it seems like an hour. Sit with a pretty girl for an hour, and it seems like a minute. That's relativity." Albert Einstein Dorijan Jelincic, 9a3ajd From owner-freebsd-ipfw@FreeBSD.ORG Thu May 19 01:05:05 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F277216A4CE for ; Thu, 19 May 2005 01:05:04 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD3FD43D46 for ; Thu, 19 May 2005 01:05:03 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3F2E4.dip.t-dialin.net [84.163.242.228] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML25U-1DYZMs1bkR-0007oB; Thu, 19 May 2005 02:58:30 +0200 From: Max Laier To: Dorijan Jelincic Date: Thu, 19 May 2005 02:58:22 +0200 User-Agent: KMail/1.8 References: <329363440.20050519022933@marvin.cc.fer.hr> In-Reply-To: <329363440.20050519022933@marvin.cc.fer.hr> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2151886.6qmV2iMdoN"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200505190258.28883.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 cc: freebsd-ipfw@freebsd.org Subject: Re: problem compiling ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2005 01:05:05 -0000 --nextPart2151886.6qmV2iMdoN Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 19 May 2005 02:29, Dorijan Jelincic wrote: > Hello freebsd-ipfw, > > I have problem compiling ipfw from last cvs... > also, since I upgraded my kernel dummynet is not working properly... > things like ipfw pipe 1000 config bw 0 dont work anymore... > > free# ipfw pipe 1000 config bw 0 > ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Invalid argument > > this worked before (in snapshot002) > > Warning: Object directory not changed from original /usr/src/sbin/ipfw > cc -O2 -fno-strict-aliasing -pipe -c ipfw2.c > ipfw2.c:1056: error: syntax error before '*' token > ipfw2.c: In function `print_ip6': > ipfw2.c:1059: error: `cmd' undeclared (first use in this function) > ipfw2.c:1059: error: (Each undeclared identifier is reported only once > ipfw2.c:1059: error: for each function it appears in.) > ipfw2.c:1063: error: `s' undeclared (first use in this function) > ipfw2.c:1065: error: `O_IP6_SRC_ME' undeclared (first use in this functio= n) Looks like you are using a stale version of ip_fw.h. Make sure that you ha= ve=20 rev. 1.98 or later in /usr/include/netinet - or at least in the searchpath = of=20 your build. Doing the safe: "buildworld, buildkernel"-thing should ensure= =20 that. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2151886.6qmV2iMdoN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCi+S0XyyEoT62BG0RAhZMAJ9xprbk+/slNgMLsgVAxA33ZO3hPgCeP7UR AT0qSrunvo+VjbuHn3zdz6A= =j5ut -----END PGP SIGNATURE----- --nextPart2151886.6qmV2iMdoN-- From owner-freebsd-ipfw@FreeBSD.ORG Fri May 20 13:10:51 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 067AC16A4CE for ; Fri, 20 May 2005 13:10:51 +0000 (GMT) Received: from mx1.enertiatech.com (h204-9-110-143.enertiatech.com [204.9.110.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94CDB43DA5 for ; Fri, 20 May 2005 13:10:50 +0000 (GMT) (envelope-from stephane@enertiasoft.com) Received: from localhost (localhost [127.0.0.1]) by mx1.enertiatech.com (Postfix) with ESMTP id A566962B4; Fri, 20 May 2005 07:09:57 -0600 (MDT) Received: from mx1.enertiatech.com ([127.0.0.1]) by localhost (mx1.enertiatech.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 38808-01; Fri, 20 May 2005 07:09:38 -0600 (MDT) Received: from [192.168.1.249] (sputnik1.integer8.net [205.206.122.73]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.enertiatech.com (Postfix) with ESMTP id 2ED026299; Fri, 20 May 2005 07:09:38 -0600 (MDT) In-Reply-To: References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> <1116435784.34699.23.camel@jose> Mime-Version: 1.0 (Apple Message framework v730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <5D5EFEE7-F123-43CB-A40E-7FF7EAF03C07@enertiasoft.com> Content-Transfer-Encoding: 7bit From: Stephane Raimbault Date: Fri, 20 May 2005 07:10:20 -0600 To: Stephane Raimbault X-Mailer: Apple Mail (2.730) X-Virus-Scanned: amavisd-new at enertiasoft.com cc: freebsd-ipfw@freebsd.org cc: Jose Hidalgo Subject: Re: named error sending response: permision denied X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2005 13:10:51 -0000 Does anyone have any further thoughts on this, or could maybe point me in a direction that could help me solve the problem? Thanks, Stephane On 18-May-05, at 11:08 AM, Stephane Raimbault wrote: > > On 18-May-05, at 11:03 AM, Jose Hidalgo wrote: > > >> On Wed, 2005-05-18 at 10:51 -0600, Stephane Raimbault wrote: >> >> >> >>> I also noticed these errors in my ipfw.log file: >>> >>> May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP >>> 63.252.160.219:53 204.9.110.134:3371 in via vlan1 >>> May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP >>> 63.252.160.219:53 204.9.110.134:1420 in via vlan1 >>> May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP >>> 63.252.160.219:53 204.9.110.134:2961 in via vlan1 >>> May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP >>> 63.252.160.219:53 204.9.110.134:4701 in via vlan1 >>> >>> >> >> >> As you can see and according with the ACLs, you have >> the problem when 204.9.110.134 is the client of >> the dns queries. >> >> You may need to add >> >> ${fwcmd} add pass udp from ${ip2} to any 53 keep state >> >> > > Actually... I already had this in another part of my ipfw rules > > ${fwcmd} add pass udp from ${ip2} to any 53 keep-state > > > the server itself can also make dns requests out... however it > still seems that requests (not all) are getting kaboshed by something. > > > >> or you may want to reduce the number of rules with: >> >> ${fwcmd} add pass udp from any to any 53 keep state >> >> -- >> Jose Hidalgo >> Corp. Hostarica S.A. >> >> >> > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw- > unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Fri May 20 13:50:37 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92D0A16A4CE for ; Fri, 20 May 2005 13:50:37 +0000 (GMT) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id C20BC43D9C for ; Fri, 20 May 2005 13:50:36 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 0AA355DA4; Fri, 20 May 2005 09:50:36 -0400 (EDT) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23569-04; Fri, 20 May 2005 09:50:35 -0400 (EDT) Received: from [192.168.1.3] (pool-68-161-53-96.ny325.east.verizon.net [68.161.53.96]) by pi.codefab.com (Postfix) with ESMTP id 0EC375CAF; Fri, 20 May 2005 09:50:34 -0400 (EDT) Message-ID: <428DEB28.5030505@mac.com> Date: Fri, 20 May 2005 09:50:32 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Stephane Raimbault References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> <1116435784.34699.23.camel@jose> <5D5EFEE7-F123-43CB-A40E-7FF7EAF03C07@enertiasoft.com> In-Reply-To: <5D5EFEE7-F123-43CB-A40E-7FF7EAF03C07@enertiasoft.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com cc: freebsd-ipfw@freebsd.org Subject: Re: named error sending response: permision denied X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2005 13:50:37 -0000 Stephane Raimbault wrote: > Does anyone have any further thoughts on this, or could maybe point me > in a direction that could help me solve the problem? Take a look at "ipfw -a l", and see which rules are being matched. The output from that command is critical for understanding what the firewall is actually doing, and should help you figure out what is going on. [1] Do these make your DNS work better: ipfw add 1 pass udp from any to any 53 ipfw add pass udp from any 53 to any ...? These rules are too open, and should just be used for testing, but you can see if the problem is with the firewall rules you have now, and adjust things from there. -- -Chuck [1]: It would also help *us* figure out what the issue is. If you still need help after this, providing more info would be useful. From owner-freebsd-ipfw@FreeBSD.ORG Fri May 20 22:52:58 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8082116A4D1; Fri, 20 May 2005 22:52:58 +0000 (GMT) Received: from sonic.ux6.net (sonic.ux6.net [64.62.252.147]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42B9943D88; Fri, 20 May 2005 22:52:58 +0000 (GMT) (envelope-from miha@sonic.ux6.net) Received: from miha by sonic.ux6.net with local (Exim 4.51 (FreeBSD)) id 1DZGMU-000MDn-4p; Fri, 20 May 2005 15:52:58 -0700 Date: Fri, 20 May 2005 15:52:58 -0700 From: Mikhail To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Message-ID: <20050520225258.GA77121@sonic.ux6.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/9DWx/yDrRhgMJTb" Content-Disposition: inline X-Operating-System: FreeBSD X-PGP-Key: http://sonic.ux6.net/~miha/gpg_miha.asc User-Agent: Mutt/1.5.9i Subject: Weired routing issues X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2005 22:52:58 -0000 --/9DWx/yDrRhgMJTb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello lists, (I apologize for cross-posting to freebsd-ipfw). I came across very weird issue with routing today - somehow, FreeBSD box ro= utes packets it shouldn't be routing. Here it goes: One of our customers has VPN connection to one of the remote servers. We ar= e using OpenVPN-2 tunnel for this purpose because it is relatively easy to = setup and maintain. The VPN tunnel is used for customer to access internet through remote VPN s= erver to which he connects, so it basically looks as: [customer]--->[secure vpn tun via internet]--->[vpn server]--->[internet fo= r customer] The whole setup is pretty straightforward: On customer's end, customer connects to the Net through DSL modem, and has = a small DMZ locally. There is also a FreeBSD box, which is used to setup Op= enVPN tunnel. Both FreeBSD box and customer are in one switch, within one s= ubnet, and see the Net through the DSL modem (which is plugged into the sam= e switch for uplink). On servers' end, there is a standalone FreeBSD box connected to the Net. Since customer's FreeBSD box is NAT'ed behind DSL modem, OpenVPN tunnel was= setup the way both sides see each other internally (within tunnel) using l= ocal IPs: 192.168.10.3, iface tun0 - the IP remote VPN server has once VPN connection= gets established 192.168.10.4, iface tun0 - the IP customer's FreeBSD has once VPN connectio= n gets established The subnet customer uses inside his DMZ is 10.0.0.0/24. The following IPs a= re used: 10.0.0.1 - DSL modem 10.0.0.2 - FreeBSD VPN box 10.0.0.3 - customer's computer So my aim was to route 10.0.0.3 to the Net through remote VPN server. This = was accomplished with the following steps: 1) run natd on remote VPN server, with divert rules as: divert 8668 ip from 10.0.0.0/24 to any out xmit rl0 2) add routing entry on remote VPN server for 10.0.0.0/24 net: /sbin/route add 10.0.0.0/24 192.168.10.4 3) turn on interface forwarding on both sides 4) on customer's FreeBSD box setup packet forwarding to remote VPN server a= s: ipfw add fwd 192.168.10.3 ip from 10.0.0.3 to any So the final step remains is to change default gateway on 10.0.0.3 to FreeB= SD VPN box (10.0.0.2) instead of DSL modem. And voila - 10.0.0.3 sees inter= net through this VPN tunnel and all works beautifully. So far all seems great, however now I need to route this customer back thro= ugh his DSL modem. To do that, customer simply changes his default gateway = back to DSL modem (10.0.0.1). All works beautifully, but one serious proble= m just occured -=20 customer did not change his route back to 10.0.0.1 (he still had FreeBSD's = 10.0.0.2 in his settings), and I removed "fwd" route from ipfw by mistake, = and what we saw was that customer was still able to surf the Net! However, = his was routed through his normal path (not VPN). - ipfw was flushed - there's no natd, nor any other nat on FreeBSD box - no routing or anything but it still acted as a gateway, routing packets it shouldn't be. So after such a long thread (which I could probably cut a lot), my question= is - how is it possible that local FreeBSD box passed packets that it shou= ldn't be passing? I bashed my head against the wall for few hours now, and still couldn't fig= ure - every time I remove "fwd" rule from ipfw, customer goes normal route = with no other changes. I tweaked all sysctls I could think of, and came to if I disable interface = forwarding - customer gets cut, and he does not see the Net; enable interfa= ce forwarding back and he sees the Net again. I'm totally lost at this poin= t. Here's what was used to setup VPN tunnel: - OpenVPN-2.0 - remote VPN server runs FreeBSD-4.10 - local VPN server runs FreeBSD-5.2 - customer's PC runs Windows XP - 10/100mbit network switch - DSL modem local FreeBSD /etc/sysctl & network: ############################## kern.corefile=3D/tmp/%N.code kern.logsigexit=3D0 net.inet.ip.forwarding=3D1 net.inet.ip.fastforwarding=3D1 net.inet.ip.fw.one_pass=3D0 net.inet.tcp.inflight_enable=3D1 ############################## $ ifconfig sk0: flags=3D8843 mtu 1500 inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255 inet6 fe80::211:2fff:fe87:919d%sk0 prefixlen 64 scopeid 0x1 ether 00:11:2f:87:91:9d media: Ethernet autoselect (100baseTX ) status: active plip0: flags=3D8810 mtu 1500 lo0: flags=3D8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 tun0: flags=3D8051 mtu 1500 inet6 fe80::211:2fff:fe87:919d%tun0 prefixlen 64 scopeid 0x4 inet 192.168.10.4 --> 192.168.10.3 netmask 0xffffffff Opened by PID 454 $ netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 10.0.0.1 UGS 0 77 sk0 10/24 link#1 UC 0 0 sk0 10.0.0.1 00:a0:c5:9a:d7:49 UHLW 1 0 sk0 841 127.0.0.1 127.0.0.1 UH 0 0 lo0 192.168.10.3 192.168.10.4 UH 0 65 tun0 Anything else I need to specify? I would highly appreciate any help/tips on how to find and remedy this issu= e. Sincerely, --/9DWx/yDrRhgMJTb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCjmpJoHRayxAsyDsRAq2QAKCsG4pzpKamKABPoUOxjflDSTAxzACfbAH2 L1Z831+tYEthHqqnkJEprts= =LW0g -----END PGP SIGNATURE----- --/9DWx/yDrRhgMJTb-- From owner-freebsd-ipfw@FreeBSD.ORG Sat May 21 16:36:06 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50E8516A4CE for ; Sat, 21 May 2005 16:36:06 +0000 (GMT) Received: from aurynhome1sv1.zirakzigil.org (host48-93.pool8288.interbusiness.it [82.88.93.48]) by mx1.FreeBSD.org (Postfix) with SMTP id 5AB5443D64 for ; Sat, 21 May 2005 16:36:03 +0000 (GMT) (envelope-from auryn@zirakzigil.org) Received: (qmail 36188 invoked by uid 85); 21 May 2005 16:36:04 -0000 Received: from unknown (HELO zirakzigil.org) (gferro@giulioferro.it@192.168.0.122) by 0 with SMTP; 21 May 2005 16:36:03 -0000 Message-ID: <428F6367.4020004@zirakzigil.org> Date: Sat, 21 May 2005 18:35:51 +0200 From: Giulio Ferro User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Subject: Multiple match X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 May 2005 16:36:06 -0000 After many years I've been using ipfw I've suddently realized it doesn't do what I would expect... Let's keep it to this simple example. On my firewall box I have 2 nics, with machines attached to either side of it: Client 1 ----------rl0-|IPFW BOX|-rl1------------Client2 (let's suppose that both Client1 and Client2 know about their respective routes...) I have a sigle rule: in ipfw add 10 allow icmp from any to any in via rl1 (the ping won't come back, but it doesn't matter here) What I expected, until yesterday, is that if I ping from Client2 to Client1, my ping _ONLY_ passed through interface rl1, _NOT_ rl0! So, if I had wanted to make it pass throght the whole firewall I would had set 2 rules: add 10 allow icmp from any to any in via rl1 add 20 allow icmp from any to any out via rl0 If I set the logs, I notice that the rule 10 will be matched twice: 10 Allow ...in via rl1 10 Allow ...out via rl0 I don't like it. It doesn't give me enough control over the flows of traffic. What do you think about this?