From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 22 11:02:15 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AED1616A438 for ; Mon, 22 Aug 2005 11:02:15 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66DA443D45 for ; Mon, 22 Aug 2005 11:02:15 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j7MB2FBD036861 for ; Mon, 22 Aug 2005 11:02:15 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j7MB2Eua036855 for freebsd-ipfw@freebsd.org; Mon, 22 Aug 2005 11:02:14 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 22 Aug 2005 11:02:14 GMT Message-Id: <200508221102.j7MB2Eua036855@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2005 11:02:15 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported f [2004/12/25] kern/75483 ipfw ipfw count does not count o [2005/05/11] bin/80913 ipfw /sbin/ipfw2 silently discards MAC addr ar 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca o [2005/05/05] kern/80642 ipfw [patch] IPFW small patch - new RULE OPTIO o [2005/06/28] kern/82724 ipfw [patch] Add setnexthop and defaultroute f 4 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 22 11:03:01 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 26C2A16A41F for ; Mon, 22 Aug 2005 11:03:01 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C33BF43D8D for ; Mon, 22 Aug 2005 11:02:54 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j7MB2sDw037419 for ; Mon, 22 Aug 2005 11:02:54 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j7MB2ruZ037413 for ipfw@freebsd.org; Mon, 22 Aug 2005 11:02:53 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 22 Aug 2005 11:02:53 GMT Message-Id: <200508221102.j7MB2ruZ037413@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2005 11:03:01 -0000 Current FreeBSD problem reports Critical problems Serious problems Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 23 08:10:36 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 034BF16A41F; Tue, 23 Aug 2005 08:10:36 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98AD543D49; Tue, 23 Aug 2005 08:10:35 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.175]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 4584024C775; Tue, 23 Aug 2005 09:55:58 +0200 (CEST) Date: Tue, 23 Aug 2005 11:10:33 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <163971811.20050823111033@spaingsm.com> To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: error when use table option with ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 08:10:36 -0000 Hi! I try to use table option but not work. First, i use Freebsd 5.4 release. In short i have: cmd="ipfw -q" $cmd table 1 add 192.168.0.0/24 $cmd table 1 add 192.168.2.0/24 $cmd table 1 add 192.168.3.0/24 $cmd table 1 add 192.168.4.0/24 $cmd add 700 count ip from table(1) to any via $lif When i run the script i receive an error about syntax error "ipfw.sh: 78: Syntax error: "(" unexpected". I dont understand where is error? Need some compiler options to work with this option? If i give: #ipfw table 1 list i have list of entries in this table without any error. From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 23 09:00:22 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58F0216A41F; Tue, 23 Aug 2005 09:00:22 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FFBA43D48; Tue, 23 Aug 2005 09:00:20 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from localhost (rocky.ip.net.ua [82.193.96.2]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id j7N90I2q026922; Tue, 23 Aug 2005 12:00:18 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: from tigra.ip.net.ua ([82.193.96.10]) by localhost (rocky.ipnet [82.193.96.2]) (amavisd-new, port 10024) with LMTP id 23551-01; Tue, 23 Aug 2005 12:00:16 +0300 (EEST) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id j7N8vkBx026519 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 23 Aug 2005 11:57:47 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.13.3/8.13.3) id j7N8vqaB015346; Tue, 23 Aug 2005 11:57:52 +0300 (EEST) (envelope-from ru) Date: Tue, 23 Aug 2005 11:57:52 +0300 From: Ruslan Ermilov To: vladone Message-ID: <20050823085752.GB15272@ip.net.ua> References: <163971811.20050823111033@spaingsm.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7ZAtKRhVyVSsbBD2" Content-Disposition: inline In-Reply-To: <163971811.20050823111033@spaingsm.com> User-Agent: Mutt/1.5.9i X-Virus-Scanned: by amavisd-new at ip.net.ua Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: error when use table option with ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 09:00:22 -0000 --7ZAtKRhVyVSsbBD2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 23, 2005 at 11:10:33AM +0300, vladone wrote: > Hi! > I try to use table option but not work. > First, i use Freebsd 5.4 release. > In short i have: > cmd=3D"ipfw -q" >=20 > $cmd table 1 add 192.168.0.0/24 > $cmd table 1 add 192.168.2.0/24 > $cmd table 1 add 192.168.3.0/24 > $cmd table 1 add 192.168.4.0/24 >=20 > $cmd add 700 count ip from table(1) to any via $lif >=20 > When i run the script i receive an error about syntax error "ipfw.sh: 78:= Syntax error: "(" unexpected". > I dont understand where is error? > Need some compiler options to work with this option? > If i give: > #ipfw table 1 list > i have list of entries in this table without any error. >=20 Since this is a shell script, `(' has a special meaning to group commands for executing them in a sub-shell. To cancel a special meaning, you can prefix it with the `\' character. Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --7ZAtKRhVyVSsbBD2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFDCuUQqRfpzJluFF4RAt6iAKCRsnyObepoH8h1n/hnHtH0KiI+ZgCgirBN sglnsbu3begX+BYcONr0VD4= =s+FK -----END PGP SIGNATURE----- --7ZAtKRhVyVSsbBD2-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 23 12:31:39 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D8E516A41F for ; Tue, 23 Aug 2005 12:31:39 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB45B43D55 for ; Tue, 23 Aug 2005 12:31:38 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.196]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 82DCD24C79B for ; Tue, 23 Aug 2005 14:16:59 +0200 (CEST) Date: Tue, 23 Aug 2005 15:31:22 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1702689158.20050823153122@spaingsm.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: ipfw+dummynet challenge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 12:31:39 -0000 Hi! The scope of this mail is to challenge anybody that have some experience to present some complex situation with dummynet. This idea is because i dont find anywhere some complex presentation. I see some features about htb in linux (i dont want to begin an long and ponderously discution about linux and freebsd) that can be attractively. Is nice if people with more experience can give some example with dummynet, more complex than "each host receive same bandwith .." or "each host share same pipe ..." I dont know if is clear but some ideas. 1. share bandwith between pipe 2. priority for user with more bandwith against users with low bandwith if total bandwith is not enought. If is possibil of course! Any idea is good to see. Thanks! From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 24 14:57:16 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D79816A420 for ; Wed, 24 Aug 2005 14:57:16 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E5DE43D48 for ; Wed, 24 Aug 2005 14:57:16 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so68853nzo for ; Wed, 24 Aug 2005 07:57:15 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=YSqv7sxQVJZkXbNx+zu+2G2bOI00oorwP2FtK/We8X37buxC1jrAZlV360fpEJEtTchHjrs4Oq9svgr1Kk6fw29iEc9epIEg2OJt2wTZsB8Qhd4E1swu/1WaCDdEQk5rEL5yZ82T9ePe478Y09rno7DueTcCQDWsymdFRyq/fVI= Received: by 10.36.80.14 with SMTP id d14mr215407nzb; Wed, 24 Aug 2005 07:57:15 -0700 (PDT) Received: by 10.36.80.1 with HTTP; Wed, 24 Aug 2005 07:57:15 -0700 (PDT) Message-ID: <680ac84705082407576dd2f6b4@mail.gmail.com> Date: Wed, 24 Aug 2005 09:57:15 -0500 From: Hugo Osorio To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: mime contents thru ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 14:57:16 -0000 Hello,=20 I need to change some settings on the firewall to forward html mime content= s=20 packets to the proxy and back, please how can i do that..=20 the LAN on which i am is unabled to make any attachments.. and i can not=20 sometimes to access gmail, i suppose this is the reason.. but I need=20 guidance, in order to know where, and what to set in my firewall file,=20 thank you very much, in advance From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 24 15:12:25 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5225C16A420 for ; Wed, 24 Aug 2005 15:12:25 +0000 (GMT) (envelope-from heccjj1@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BADD43D6A for ; Wed, 24 Aug 2005 15:12:19 +0000 (GMT) (envelope-from heccjj1@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so70989nzo for ; Wed, 24 Aug 2005 08:12:19 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=UT97Sfd/qQtYKSMj2ZyJAdok10YjCecxehsukHP4LG9Zs2bMf0UD1rhk7fKPAgyFcMIG5igwOwqGHqC97EFwsKbglINHOjer1875vltqUgYImbsR3oKE9hDCITduQEJDFfSEfZ1HfVAWNVI6usLwzk9oFfPHSyDc6XSRGnj/d+8= Received: by 10.36.222.70 with SMTP id u70mr5816789nzg; Wed, 24 Aug 2005 08:12:19 -0700 (PDT) Received: by 10.36.227.25 with HTTP; Wed, 24 Aug 2005 08:12:19 -0700 (PDT) Message-ID: <6f9d8a5050824081264f5e801@mail.gmail.com> Date: Wed, 24 Aug 2005 23:12:19 +0800 From: he ccjj To: freebsd-ipfw@freebsd.org In-Reply-To: <6f9d8a505082218053b2ff769@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <6f9d8a505082218053b2ff769@mail.gmail.com> Subject: pureftpd can't work normally on pureftp--NATD--ipfw--FreeBSD 5.4 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 15:12:25 -0000 I use freebsd 5.4(with OPTION IPFW on and IPFIREWALL_DEFAULT_TO_ACCEPT on)+apache+pureftp+natd to setup a server used for ftp/web server and as a getway for share network too. My network like this: ------(oip:x.x.x.a)------ | | (oif:em0)-->| |-->(internet getway:x.x.x.254) ^ | | | ---(oip alias0:x.x.x.b)-- | | (iif:em1,iip:192.168.100.254)<-------(inet 192.168.100.254/16)<---(intrane= t) I bind oip:x.x.x.a as httpd and pureftpd serverip,and use em0_aliase0(x.x.x.b) as natd's interface. And use of rc.firewall rule: 'open . So my intranet can share internet normaly through natd on x.x.x.b,and http server work normaly too.And the users of intranet(192.168.100.254/16) can visit pureftpd correctly. My problem is:the users of internet can't visited my pureftpd on x.x.x.a correctly,The debug information like below.From the erro,it's like that ipfw rule was wrong(When i use "open" rule in rc.firewall,i get the same erro).If I cancel em0_alias0(x.x.x.b),and set natd_interface to (x.x.x.a),it work very well! Is there some one meet this problem before?I have seen something like ftp proxy in pf,how to write those rule in ipfw?Give me help please! =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D *** CuteFTP Pro 6.0 - build Mar 25 2004 *** STATUS:> Getting listing ""... STATUS:> Resolving host name x.x.x.a... STATUS:> Host name x.x.x.a resolved: ip =3D x.x.x.a. STATUS:> Connecting to FTP server x.x.x.a:21 (ip =3D x.x.x.a)... STATUS:> Socket connected. Waiting for welcome message... 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------= - 220-Local time is now 23:07. Server port: 21. 220 You will be disconnected after 15 minutes of inactivity. STATUS:> Connected. Authenticating... COMMAND:> USER tmp 331 User tmp OK. Password required COMMAND:> PASS ***** 230-User tmp has group access to: www 230 OK. Current restricted directory is / STATUS:> Login successful. COMMAND:> PWD 257 "/" is your current location STATUS:> Home directory: / COMMAND:> FEAT 211-Extensions supported: EPRT IDLE MDTM SIZE REST STREAM MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*; MLSD ESTP PASV EPSV SPSV 211 End. STATUS:> This site supports features. STATUS:> This site supports SIZE. STATUS:> This site can resume broken downloads. COMMAND:> REST 0 350 Restarting at 0 COMMAND:> PASV 227 Entering Passive Mode (x,x,x,a,158,251) STATUS:> Connecting FTP data socket x.x.x.a:40699... ERROR:> The connection failed due to an error or timeout. 1) Verify that the destination IP address is correct. ...... 12) Verify that your anti-virus software is not at fault (try disabling it). ERROR:> PASV failed, trying PORT. STATUS:> Waiting 0 seconds... STATUS:> Getting listing "/"... STATUS:> Resolving host name x.x.x.a... STATUS:> Host name x.x.x.a resolved: ip =3D x.x.x.a. STATUS:> Connecting to FTP server x.x.x.a:21 (ip =3D x.x.x.a)... STATUS:> Socket connected. Waiting for welcome message... 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------= - 220-Local time is now 23:08. Server port: 21. 220 You will be disconnected after 15 minutes of inactivity. STATUS:> Connected. Authenticating... COMMAND:> USER tmp 331 User tmp OK. Password required COMMAND:> PASS ***** 230-User tmp has group access to: www 230 OK. Current restricted directory is / STATUS:> Login successful. COMMAND:> PWD 257 "/" is your current location STATUS:> Home directory: / STATUS:> This site supports features. STATUS:> This site supports SIZE. STATUS:> This site can resume broken downloads. COMMAND:> REST 0 350 Restarting at 0 COMMAND:> PORT 192,168,123,104,6,18 200 PORT command successful COMMAND:> LIST ERROR:> Timeout (60000 ms) occurred on receiving server response. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D content of /etc/rc.conf: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D hostname=3D"x.x.x.a" ifconfig_em0=3D"inet x.x.x.a netmask 255.255.255.0" ifconfig_em0_alias0=3D"inet x.x.x.b netmask 255.255.255.0" ifconfig_em1=3D"inet 192.168.100.254 netmask 255.255.255.0" defaultrouter=3D"x.x.x.254" static_routes=3D"inside" route_inside=3D"-net 192.168.100.254/16 192.168.100.1" #proxy: gateway_enable=3D"YES" firewall_enable=3D"YES" firewall_type=3D"simple" natd_enable=3D"YES" natd_interface=3D"x.x.x.b" nat_flag=3D"-a x.x.x.b" #servers: inetd_enable=3D"YES" #pureftpd_enable=3D"YES" apache2_enable=3D"YES" =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D content of /etc/inetd.conf: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D ftp stream tcp nowait root /usr/local/sbin/pure-ftpd =20 pure-ftpd -Sx.x.x.a,21 -Px.x.x.a -lmysql:/usr/local/etc/pureftpd-mysql.conf -A -j -D -Oclf:/web/logs/ftp/pureftp.log #ftp stream tcp nowait root /usr/local/sbin/pure-ftpd =20 pure-ftpd ssh stream tcp nowait root /usr/sbin/sshd sshd -i -4 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 24 15:47:57 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3C7A16A41F for ; Wed, 24 Aug 2005 15:47:57 +0000 (GMT) (envelope-from heccjj1@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53E7A43D45 for ; Wed, 24 Aug 2005 15:47:52 +0000 (GMT) (envelope-from heccjj1@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so75800nzo for ; Wed, 24 Aug 2005 08:47:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=J9ZIIVetaKVRtvx7W52BaN1rZjeymC3SUBjpuMT5/7kkH0WMzBbatbbiwRjnGg+w2hRwaT9UQeujWYYfgN10ULWrPuIFupUpoDybYz7tPGASeGhJxCjEEJagWLBm44XM5bcfpvbwsw4wfAu8FFbPcCGNLbJgAcVRWmPn5JfoqRA= Received: by 10.37.2.9 with SMTP id e9mr223240nzi; Wed, 24 Aug 2005 08:47:51 -0700 (PDT) Received: by 10.36.227.25 with HTTP; Wed, 24 Aug 2005 08:47:51 -0700 (PDT) Message-ID: <6f9d8a50508240847596c49e1@mail.gmail.com> Date: Wed, 24 Aug 2005 23:47:51 +0800 From: he ccjj To: freebsd-ipfw@freebsd.org In-Reply-To: <6f9d8a5050824081264f5e801@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <6f9d8a505082218053b2ff769@mail.gmail.com> <6f9d8a5050824081264f5e801@mail.gmail.com> Subject: pureftpd can't work normally on pureftp--NATD--ipfw--FreeBSD 5.4 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2005 15:47:58 -0000 I use freebsd 5.4(with OPTION IPFW on and IPFIREWALL_DEFAULT_TO_ACCEPT on)+apache+pureftp+natd to setup a server used for ftp/web server and as a getway for share network too. My network like this: ------(oip:x.x.x.a)------ | | (oif:em0)-->| |-->(internet getway:x.x.x.254) ^ | | | ---(oip alias0:x.x.x.b)-- | | (iif:em1,iip:192.168.100.254)<-------(inet 192.168.100.254/16)<---(intrane= t) I bind oip:x.x.x.a as httpd and pureftpd serverip,and use em0_aliase0(x.x.x.b) as natd's interface. And use of rc.firewall rule: 'open . So my intranet can share internet normaly through natd on x.x.x.b,and http server work normaly too.And the users of intranet(192.168.100.254/16) can visit pureftpd correctly. My problem is:the users of internet can't visited my pureftpd on x.x.x.a correctly,The debug information like below.From the erro,it's like that ipfw rule was wrong(When i use "open" rule in rc.firewall,i get the same erro).If I cancel em0_alias0(x.x.x.b),and set natd_interface to (x.x.x.a),it work very well! Is there some one meet this problem before?I have seen something like ftp proxy in pf,how to write those rule in ipfw?Give me help please! =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D *** CuteFTP Pro 6.0 - build Mar 25 2004 *** STATUS:> Getting listing ""... STATUS:> Resolving host name x.x.x.a... STATUS:> Host name x.x.x.a resolved: ip =3D x.x.x.a. STATUS:> Connecting to FTP server x.x.x.a:21 (ip =3D x.x.x.a)... STATUS:> Socket connected. Waiting for welcome message... 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-Local time is now 23:07. Server port: 21. 220 You will be disconnected after 15 minutes of inactivity. STATUS:> Connected. Authenticating... COMMAND:> USER tmp 331 User tmp OK. Password required COMMAND:> PASS ***** 230-User tmp has group access to: www 230 OK. Current restricted directory is / STATUS:> Login successful. COMMAND:> PWD 257 "/" is your current location STATUS:> Home directory: / COMMAND:> FEAT 211-Extensions supported: EPRT IDLE MDTM SIZE REST STREAM MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*; MLSD ESTP PASV EPSV SPSV 211 End. STATUS:> This site supports features. STATUS:> This site supports SIZE. STATUS:> This site can resume broken downloads. COMMAND:> REST 0 350 Restarting at 0 COMMAND:> PASV 227 Entering Passive Mode (x,x,x,a,158,251) STATUS:> Connecting FTP data socket x.x.x.a:40699... ERROR:> The connection failed due to an error or timeout. 1) Verify that the destination IP address is correct. ...... 12) Verify that your anti-virus software is not at fault (try disabling it). ERROR:> PASV failed, trying PORT. STATUS:> Waiting 0 seconds... STATUS:> Getting listing "/"... STATUS:> Resolving host name x.x.x.a... STATUS:> Host name x.x.x.a resolved: ip =3D x.x.x.a. STATUS:> Connecting to FTP server x.x.x.a:21 (ip =3D x.x.x.a)... STATUS:> Socket connected. Waiting for welcome message... 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-Local time is now 23:08. Server port: 21. 220 You will be disconnected after 15 minutes of inactivity. STATUS:> Connected. Authenticating... COMMAND:> USER tmp 331 User tmp OK. Password required COMMAND:> PASS ***** 230-User tmp has group access to: www 230 OK. Current restricted directory is / STATUS:> Login successful. COMMAND:> PWD 257 "/" is your current location STATUS:> Home directory: / STATUS:> This site supports features. STATUS:> This site supports SIZE. STATUS:> This site can resume broken downloads. COMMAND:> REST 0 350 Restarting at 0 COMMAND:> PORT 192,168,123,104,6,18 200 PORT command successful COMMAND:> LIST ERROR:> Timeout (60000 ms) occurred on receiving server response. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D content of /etc/rc.conf: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D hostname=3D"x.x.x.a" ifconfig_em0=3D"inet x.x.x.a netmask 255.255.255.0" ifconfig_em0_alias0=3D"inet x.x.x.b netmask 255.255.255.0" ifconfig_em1=3D"inet 192.168.100.254 netmask 255.255.255.0" defaultrouter=3D"x.x.x.254" static_routes=3D"inside" route_inside=3D"-net 192.168.100.254/16 192.168.100.1" #proxy: gateway_enable=3D"YES" firewall_enable=3D"YES" firewall_type=3D"simple" natd_enable=3D"YES" natd_interface=3D"x.x.x.b" nat_flag=3D"-a x.x.x.b" #servers: inetd_enable=3D"YES" #pureftpd_enable=3D"YES" apache2_enable=3D"YES" =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D content of /etc/inetd.conf: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D ftp stream tcp nowait root /usr/local/sbin/pure-ftpd pure-ftpd -Sx.x.x.a,21 -Px.x.x.a -lmysql:/usr/local/etc/pureftpd-mysql.conf -A -j -D -Oclf:/web/logs/ftp/pureftp.log #ftp stream tcp nowait root /usr/local/sbin/pure-ftpd pure-ftpd ssh stream tcp nowait root /usr/sbin/sshd sshd -i -4 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 25 08:38:45 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3AC3516A41F for ; Thu, 25 Aug 2005 08:38:45 +0000 (GMT) (envelope-from on@cs.ait.ac.th) Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4A4F43D48 for ; Thu, 25 Aug 2005 08:38:43 +0000 (GMT) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5]) by mail.cs.ait.ac.th (8.12.11/8.12.11) with ESMTP id j7P8bNKc022977 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 25 Aug 2005 15:37:23 +0700 (ICT) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.13.1/8.12.11) id j7P8c5vA093513; Thu, 25 Aug 2005 15:38:05 +0700 (ICT) Date: Thu, 25 Aug 2005 15:38:05 +0700 (ICT) Message-Id: <200508250838.j7P8c5vA093513@banyan.cs.ait.ac.th> From: Olivier Nicole To: freebsd-ipfw@freebsd.org X-Virus-Scanned: on CSIM by amavisd-milter (http://www.amavis.org/) Subject: Checksum in nat bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Aug 2005 08:38:45 -0000 Hi, I am using ipfilter (is there a better list to ask my question?) I have a machine that is bridged between the interfaces, when I NAT a packet the checksum is not recalculated automatically. Darren gave me a patch, but that is not corresponding to the version of ipfilter bundled with FreeBSD 4.10. So does anyone know how to force ip_nat to recalculate the checksum after it changed a packet in a bridg3d environment? TIA Olivier From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 25 08:40:16 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8C0216A41F for ; Thu, 25 Aug 2005 08:40:16 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 39FAB43D48 for ; Thu, 25 Aug 2005 08:40:16 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-1.free.fr (Postfix) with ESMTP id 91B59319DF2; Thu, 25 Aug 2005 10:40:15 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id B8CB4405A; Thu, 25 Aug 2005 10:40:39 +0200 (CEST) Date: Thu, 25 Aug 2005 10:40:39 +0200 From: Jeremie Le Hen To: Hugo Osorio Message-ID: <20050825084039.GH659@obiwan.tataz.chchile.org> References: <680ac84705082407576dd2f6b4@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <680ac84705082407576dd2f6b4@mail.gmail.com> User-Agent: Mutt/1.5.9i Cc: freebsd-ipfw@freebsd.org Subject: Re: mime contents thru ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Aug 2005 08:40:16 -0000 Hugo, > I need to change some settings on the firewall to forward html mime contents > packets to the proxy and back, please how can i do that.. > the LAN on which i am is unabled to make any attachments.. and i can not > sometimes to access gmail, i suppose this is the reason.. but I need > guidance, in order to know where, and what to set in my firewall file, You have to redirect the whole HTTP traffic to the proxy, or nothing. You can't decide on layer 7 content. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 25 14:48:48 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4152616A41F for ; Thu, 25 Aug 2005 14:48:48 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAAFB43D48 for ; Thu, 25 Aug 2005 14:48:47 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: by zproxy.gmail.com with SMTP id 8so202523nzo for ; Thu, 25 Aug 2005 07:48:47 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=hDOh3p4iH7ESUCRS0WhDkY7dscLv7h8ICEcwj8IPi15KhoC7HnPiFJteOSNnty3wZR148WNTo8J1YVvjdIxMrFgabfyePISzBMh5ivsUkcoNEemYoyEOf+h8IC9j0D2LR+RQPv5+ZcxKWY7rDYIMQREGHk0+m/uVoVuwrQ0otUA= Received: by 10.36.222.75 with SMTP id u75mr33013nzg; Thu, 25 Aug 2005 07:48:47 -0700 (PDT) Received: by 10.36.80.1 with HTTP; Thu, 25 Aug 2005 07:48:47 -0700 (PDT) Message-ID: <680ac84705082507486347b67@mail.gmail.com> Date: Thu, 25 Aug 2005 09:48:47 -0500 From: Hugo Osorio To: freebsd-ipfw@freebsd.org In-Reply-To: <20050825084039.GH659@obiwan.tataz.chchile.org> Mime-Version: 1.0 References: <680ac84705082407576dd2f6b4@mail.gmail.com> <20050825084039.GH659@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: mime contents thru ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Aug 2005 14:48:48 -0000 I have two proxies available, and in the machine where i have the fw there= =20 are routes created, for routing one proxy or another... 172.25.x.x or=20 172.24.x.x with the .24.x.x proxy dont have any hassle..=20 but i do with the 25.x.x=20 >You have to redirect the whole HTTP traffic to the proxy, or nothing. >You can't decide on layer 7 content. what do you recommend me to do first? From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 25 18:09:48 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E055816A41F for ; Thu, 25 Aug 2005 18:09:48 +0000 (GMT) (envelope-from cdick@mail.ocis.net) Received: from mail.ocis.net (mail.ocis.net [209.52.173.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6225A43D5D for ; Thu, 25 Aug 2005 18:09:48 +0000 (GMT) (envelope-from cdick@mail.ocis.net) Received: from mail.ocis.net ([209.52.173.152]) by mail.ocis.net with esmtp (Exim 4.43) id 1E8MAd-0005QH-OM; Thu, 25 Aug 2005 11:09:47 -0700 Date: Thu, 25 Aug 2005 11:09:47 -0700 (PDT) From: Colin Dick To: lug@lug.kamloops.net, freebsd-ipfw@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Subject: Differences is arp requests FreeBSD vs Linux X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Aug 2005 18:09:49 -0000 Hey all, My problem with my router dropping packets when moving to FreeBSD 4.11 from Linux appears to be related to arp. This router sits between my network and the upstream ADSL whole-sale ports. I had thought that the upstream's Cisco was not advertising the customer local arps but that does not appear to be the case. It must have been a (?broken?) function of Linux. When I grep the who-has arp entries from tcpdump on Linux, I only see addresses to or from the sub-interfaces (gateways) of the box. When I grep the who-has arp entires from FreeBSD, I see the end users local arps as well. With viruses and vulnerabilities the way they are this increase in arps seems to be causing errors on the Cisco. I used ipfw to shut down particular 'problem' users and blocking some udp ports (1434, 1026, 1027) which seems to help a bit, but I still couldn't stabalize. I had to go back to Linux. So, my question is, what can be done to silently discard the customer local arps or emulate the way the Linux router is functioning with ipfw? Is there a kernel opt that I can set at bootup? Am I on the wrong track entirely? Thanks in advance for any feedback. I am looking forward to getting this router replaced. -- Colin From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 25 19:02:16 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96CE516A41F for ; Thu, 25 Aug 2005 19:02:16 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id C7A0643D46 for ; Thu, 25 Aug 2005 19:02:14 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id i1so204229wra for ; Thu, 25 Aug 2005 12:02:14 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YXq6yTKJwv5b+lH5tTxiIumGvD/a7AGdo6egSsGvyWwHMF8iJ+X5GQ70K1zvnaX99oeuQ7vVRCJlEpUygM9x7ixuIblxYKj11PumvsqtPvjKC0fTl3LABWip8fp5UbmGaQCxOelSgK91OPuaCgqrblWOO1KKsnCsMnWcabBFkQ0= Received: by 10.54.118.16 with SMTP id q16mr2377796wrc; Thu, 25 Aug 2005 12:02:13 -0700 (PDT) Received: by 10.54.39.18 with HTTP; Thu, 25 Aug 2005 12:02:13 -0700 (PDT) Message-ID: <8eea0408050825120271544730@mail.gmail.com> Date: Thu, 25 Aug 2005 12:02:13 -0700 From: Jon Simola Sender: jsimola@gmail.com To: Colin Dick In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Cc: freebsd-ipfw@freebsd.org, lug@lug.kamloops.net Subject: Re: Differences is arp requests FreeBSD vs Linux X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Aug 2005 19:02:16 -0000 On 8/25/05, Colin Dick wrote: > My problem with my router dropping packets when moving to FreeBSD > 4.11 from Linux appears to be related to arp. This router sits between m= y > network and the upstream ADSL whole-sale ports. I had thought that the > upstream's Cisco was not advertising the customer local arps but that doe= s > not appear to be the case. It must have been a (?broken?) function of > Linux. Looks like you're in Kamloops. I'm doing the same in Prince George (almost certainly with the same provider), and we've had tons of problems with $upstream on these and related issues. > When I grep the who-has arp entries from tcpdump on Linux, I only > see addresses to or from the sub-interfaces (gateways) of the box. > When I grep the who-has arp entires from FreeBSD, I see the end > users local arps as well. With viruses and vulnerabilities the way they > are this increase in arps seems to be causing errors on the Cisco. I just recently worked through a problem with this. ARP storms on the Cisco's VLANs were causing major packet loss on the 155Mbps fibre. There was absolutely nothing I could fix on my router as the issue was with the design and implementation of $upstream's DSL network and their deviations from documentation that we were provided. The problems slowly ramped up and were a direct result of the number of DSL customers, and not the equipment we had in our network. > So, my question is, what can be done to silently discard the > customer local arps or emulate the way the Linux router is functioning > with ipfw? Is there a kernel opt that I can set at bootup? Am I on the > wrong track entirely? This has to be done at the Cisco or at the customer's site. If you think of the DSL network as a large switch, you can pretty quickly see that some issues come up. If you've got 99 customers with DSL (ignoring vpi/pvc stuff in the middle) then the Cisco functions as a 100 port switch, with your router hanging off of it and the 99 virtual ports sharing a single physical fibre. There's not much that can be done on your router's switch port to stop the other 99 from talking amongst themselves. I'm sure a lot of this is logical to a CCIE, but I learned the hard way that some of the recommendations from $upstream on DSL reselling were rather... imaginative. Email me privately if you have any further questions about $upstream. --=20 Jon Simola Systems Administrator ABC Communications From owner-freebsd-ipfw@FreeBSD.ORG Sat Aug 27 23:54:29 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B14916A41F for ; Sat, 27 Aug 2005 23:54:29 +0000 (GMT) (envelope-from SRS0+ksVN+62+gmail.com=pc9630@internode.on.net) Received: from mail.internode.on.net (bld-mail02.adl2.internode.on.net [203.16.214.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A19843D48 for ; Sat, 27 Aug 2005 23:54:28 +0000 (GMT) (envelope-from SRS0+ksVN+62+gmail.com=pc9630@internode.on.net) Received: from [10.0.0.1] (unverified [203.122.244.125]) by mail.internode.on.net (SurgeMail 3.2f) with ESMTP id 174381343 for ; Sun, 28 Aug 2005 09:24:26 +0930 (CST) Message-ID: <4310FD31.70709@gmail.com> Date: Sun, 28 Aug 2005 09:24:25 +0930 From: pc9630 User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipfw Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Authenticated-User: ebourlotos@internode.on.net Subject: Dummynet + intro X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Aug 2005 23:54:29 -0000 Greetings List, I am a new subscriber to the list (from Adelaide, Australia). Just introducing myself and looking for some pointers in the use of dummynet. I am a win32/linux user I have some experience in the use/development of network simulators through my postgrad studies. I also have very limited BSD knowledge. I am currently trying to evaluate a number of PABXs and have setup the picobsd version of dummynet. (prefering it over nistnet) I want to put the pabxs through their paces with regards to IP trunking between 2 units (h323). These units will be spread out geographically (dsl tails) and converging to a central point (our office). I would like to setup a number of differing scenarios for link conditions both typical and atypical and rediculous. I have managed some trivial ones like a dsl link from examples but I would like to setup in such a way that I can try a number of different links and script it to make life easier. 1. main link to the HO will be either wireless or landline to the ISP cloud. 2. the tails will be a smattering of DSL grade links with varying properties latency, jitter, and PL. I would like to establish the main link (I assume as a pipe) and setup another representing the tail. So the questions. 1. Does anyone have some suggestions for a typical line of sight wirless link. 2. Does anyone have some suggestions for a the DSL tails. I only need 2 nodes for testing purposes. All suggestions will be most useful regards evan