From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 3 11:02:27 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 362D816A426 for ; Mon, 3 Oct 2005 11:02:27 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 823FC43D72 for ; Mon, 3 Oct 2005 11:02:13 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j93B2Dlt066270 for ; Mon, 3 Oct 2005 11:02:13 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j93B2CdY066264 for freebsd-ipfw@freebsd.org; Mon, 3 Oct 2005 11:02:12 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 3 Oct 2005 11:02:12 GMT Message-Id: <200510031102.j93B2CdY066264@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 11:02:27 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported f [2004/12/25] kern/75483 ipfw ipfw count does not count o [2005/05/11] bin/80913 ipfw /sbin/ipfw2 silently discards MAC addr ar 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca o [2005/05/05] kern/80642 ipfw [patch] IPFW small patch - new RULE OPTIO o [2005/06/28] kern/82724 ipfw [patch] Add setnexthop and defaultroute f 4 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 3 11:03:04 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2DD316A4A9 for ; Mon, 3 Oct 2005 11:03:04 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FFC543D4C for ; Mon, 3 Oct 2005 11:02:51 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j93B2pPD066848 for ; Mon, 3 Oct 2005 11:02:51 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j93B2oeS066842 for ipfw@freebsd.org; Mon, 3 Oct 2005 11:02:50 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 3 Oct 2005 11:02:50 GMT Message-Id: <200510031102.j93B2oeS066842@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 11:03:05 -0000 Current FreeBSD problem reports Critical problems Serious problems Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 3 16:08:05 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE75716A41F for ; Mon, 3 Oct 2005 16:08:05 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id E8F6343D45 for ; Mon, 3 Oct 2005 16:08:04 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 23869 invoked by uid 0); 3 Oct 2005 13:08:06 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (uvscan: v4.3.20/v4594. spamassassin: 2.64. Clear:RC:1(201.17.165.38):. Processed in 0.445571 secs); 03 Oct 2005 16:08:06 -0000 Received: from unknown (HELO ?10.69.69.69?) (201.17.165.38) by capeta.freebsdbrasil.com.br with SMTP; 3 Oct 2005 13:08:06 -0300 Message-ID: <4341575C.8080409@freebsdbrasil.com.br> Date: Mon, 03 Oct 2005 13:07:56 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050420 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: layer2 filtering and dummynet, bw reduced by half X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 16:08:05 -0000 Hello, I am doing some simple tests in a specific enviroment where layer2 filtering and dummynet will work together. There is a complex set of FW rules, which showed a behaviour where, whenever I turn layer2 filtering on, dummynet configured pipes get the configured BW reduced by half. To check it out I reduced the production ruleset into a few, simple and clear set of rules in a testing enviroment. The current rules are: layer2() { ipfw add skipto 400 all from any to any mac-type ip,arp layer2 ipfw add deny all from any to any layer2 } countlog() { ipfw add 400 count log all from any to any in ipfw add 401 count log all from any to any out } pipe() { ipfw add pipe 1 all from any to 172.16.52.254/32 in ipfw add pipe 2 all from 172.16.52.254/32 to any out ipfw pipe 1 config bw 64Kbps queue 5 ipfw pipe 2 config bw 64Kbps queue 5 } Very simple, nothing special. FYI, one_pass feature for ipfw is '1' (default). When net.link.ether.ipfw=0, dummynet works perfectly. The piped IP address can only up/down at the configured speed. But when I turn net.link.ether.ipfw=1 the maximum speedk gets reduced exactly by half, just like if I had pipes configured at 32Kbps. I have tested even without any layer2 rule loaded. The behaviour is just the same. I am not sure what might be causing this weird behaviour. Is there any thing that should be tunned up? Any ideas on why it happens, and how to deal with it instead of configuring bw by 2 to get the desired speed? If there is a logical reason for that which I ignore, there is no problem in * it by 2, but I would like to hear about it, technically, which is the reason. And specially, if it something I am doing wrong, I would appreciate if someone could point it out. Thank you a lot :-) -- Patrick Tracanelli From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 3 16:10:25 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3AE616A41F for ; Mon, 3 Oct 2005 16:10:25 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D22243D45 for ; Mon, 3 Oct 2005 16:10:25 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j93GAOxG095212; Mon, 3 Oct 2005 09:10:24 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j93GAO3N095211; Mon, 3 Oct 2005 09:10:24 -0700 (PDT) (envelope-from rizzo) Date: Mon, 3 Oct 2005 09:10:24 -0700 From: Luigi Rizzo To: Patrick Tracanelli Message-ID: <20051003091024.A92958@xorpc.icir.org> References: <4341575C.8080409@freebsdbrasil.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <4341575C.8080409@freebsdbrasil.com.br>; from eksffa@freebsdbrasil.com.br on Mon, Oct 03, 2005 at 01:07:56PM -0300 Cc: ipfw@freebsd.org Subject: Re: layer2 filtering and dummynet, bw reduced by half X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 16:10:25 -0000 you are passing traffic through the pipe twice. you have to decide if your rules should apply tto layer2 or not and write the rules accordingly luigi On Mon, Oct 03, 2005 at 01:07:56PM -0300, Patrick Tracanelli wrote: > > Hello, > > I am doing some simple tests in a specific enviroment where layer2 > filtering and dummynet will work together. There is a complex set of FW > rules, which showed a behaviour where, whenever I turn layer2 filtering > on, dummynet configured pipes get the configured BW reduced by half. To > check it out I reduced the production ruleset into a few, simple and > clear set of rules in a testing enviroment. > > The current rules are: > > layer2() { > ipfw add skipto 400 all from any to any mac-type ip,arp layer2 > ipfw add deny all from any to any layer2 > } > > countlog() { > ipfw add 400 count log all from any to any in > ipfw add 401 count log all from any to any out > } > > pipe() { > ipfw add pipe 1 all from any to 172.16.52.254/32 in > ipfw add pipe 2 all from 172.16.52.254/32 to any out > ipfw pipe 1 config bw 64Kbps queue 5 > ipfw pipe 2 config bw 64Kbps queue 5 > } > > Very simple, nothing special. > FYI, one_pass feature for ipfw is '1' (default). > > When net.link.ether.ipfw=0, dummynet works perfectly. The piped IP > address can only up/down at the configured speed. But when I turn > net.link.ether.ipfw=1 the maximum speedk gets reduced exactly by half, > just like if I had pipes configured at 32Kbps. > > I have tested even without any layer2 rule loaded. The behaviour is just > the same. > > I am not sure what might be causing this weird behaviour. Is there any > thing that should be tunned up? Any ideas on why it happens, and how to > deal with it instead of configuring bw by 2 to get the desired speed? If > there is a logical reason for that which I ignore, there is no problem > in * it by 2, but I would like to hear about it, technically, which is > the reason. > > And specially, if it something I am doing wrong, I would appreciate if > someone could point it out. > > Thank you a lot :-) > > -- > Patrick Tracanelli > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 3 16:28:00 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2130F16A41F for ; Mon, 3 Oct 2005 16:28:00 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 1620643D48 for ; Mon, 3 Oct 2005 16:27:54 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 24829 invoked by uid 0); 3 Oct 2005 13:27:51 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (uvscan: v4.3.20/v4594. spamassassin: 2.64. Clear:RC:1(201.17.165.38):. Processed in 0.949182 secs); 03 Oct 2005 16:27:51 -0000 Received: from unknown (HELO ?10.69.69.69?) (201.17.165.38) by capeta.freebsdbrasil.com.br with SMTP; 3 Oct 2005 13:27:50 -0300 Message-ID: <43415BFB.1050800@freebsdbrasil.com.br> Date: Mon, 03 Oct 2005 13:27:39 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050420 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo References: <4341575C.8080409@freebsdbrasil.com.br> <20051003091024.A92958@xorpc.icir.org> In-Reply-To: <20051003091024.A92958@xorpc.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org Subject: Re: layer2 filtering and dummynet, bw reduced by half X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 16:28:00 -0000 Luigi Rizzo wrote: > you are passing traffic through the pipe twice. > you have to decide if your rules should apply tto > layer2 or not and write the rules accordingly Why are they going twice through the pipe? When net.link.ether.ipfw=1 you pass it through all rules twice? "first match wins" does not apply? How should it be made to do it passing only once? I have just tried: ipfw add 400 count log all from any to any in layer2 ipfw add 401 count log all from any to any out layer2 Where hopefully it would be passed only once (when passing layer2 rules) but it did not. How could the rules be written to filter layer2 instead, in the given circunstances? 'Cos you say it should be written to apply to layer2 or not, and write the rules "accordingly", but in the following circunstance: 00400 54 4566 count log ip from any to any in 00401 42 4300 count log ip from any to any out 00501 16 1616 pipe 1 ip from any to 172.16.52.254 in 00601 16 1428 pipe 2 ip from 172.16.52.254 to any out 65535 22052 10476881 allow ip from any to any There is no layer2 rule, but if net.link.ether.ipfw=1 the /2 bw limiting happens again. So it does not seem to be a matter of how to write the rules, but instead, to have net.link.ether.ipfw=1 or not. Or did I miss some point? >>layer2() { >> ipfw add skipto 400 all from any to any mac-type ip,arp layer2 >> ipfw add deny all from any to any layer2 >>} >> >>countlog() { >> ipfw add 400 count log all from any to any in >> ipfw add 401 count log all from any to any out >>} >> >>pipe() { >> ipfw add pipe 1 all from any to 172.16.52.254/32 in >> ipfw add pipe 2 all from 172.16.52.254/32 to any out >> ipfw pipe 1 config bw 64Kbps queue 5 >> ipfw pipe 2 config bw 64Kbps queue 5 >>} -- Patrick Tracanelli From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 3 16:38:02 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E4CC16A41F for ; Mon, 3 Oct 2005 16:38:02 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14E3543D45 for ; Mon, 3 Oct 2005 16:38:01 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j93Gc1Bc095511; Mon, 3 Oct 2005 09:38:01 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j93Gc175095510; Mon, 3 Oct 2005 09:38:01 -0700 (PDT) (envelope-from rizzo) Date: Mon, 3 Oct 2005 09:38:01 -0700 From: Luigi Rizzo To: Patrick Tracanelli Message-ID: <20051003093801.B92958@xorpc.icir.org> References: <4341575C.8080409@freebsdbrasil.com.br> <20051003091024.A92958@xorpc.icir.org> <43415BFB.1050800@freebsdbrasil.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <43415BFB.1050800@freebsdbrasil.com.br>; from eksffa@freebsdbrasil.com.br on Mon, Oct 03, 2005 at 01:27:39PM -0300 Cc: ipfw@freebsd.org Subject: Re: layer2 filtering and dummynet, bw reduced by half X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 16:38:02 -0000 see the ipfw manpage near the eginning with the graph showing the packet flow. "layer2" means the rule matches only on layer2. "not layer2" matches only on layer 3. if you don't put anything, it matches both layer2 and layer3. luigi On Mon, Oct 03, 2005 at 01:27:39PM -0300, Patrick Tracanelli wrote: > Luigi Rizzo wrote: > > you are passing traffic through the pipe twice. > > you have to decide if your rules should apply tto > > layer2 or not and write the rules accordingly > > Why are they going twice through the pipe? When net.link.ether.ipfw=1 > you pass it through all rules twice? "first match wins" does not apply? > How should it be made to do it passing only once? I have just tried: > > ipfw add 400 count log all from any to any in layer2 > ipfw add 401 count log all from any to any out layer2 > > Where hopefully it would be passed only once (when passing layer2 rules) > but it did not. > > How could the rules be written to filter layer2 instead, in the given > circunstances? 'Cos you say it should be written to apply to layer2 or > not, and write the rules "accordingly", but in the following circunstance: > > 00400 54 4566 count log ip from any to any in > 00401 42 4300 count log ip from any to any out > 00501 16 1616 pipe 1 ip from any to 172.16.52.254 in > 00601 16 1428 pipe 2 ip from 172.16.52.254 to any out > 65535 22052 10476881 allow ip from any to any > > There is no layer2 rule, but if net.link.ether.ipfw=1 the /2 bw limiting > happens again. So it does not seem to be a matter of how to write the > rules, but instead, to have net.link.ether.ipfw=1 or not. > > Or did I miss some point? > > > >>layer2() { > >> ipfw add skipto 400 all from any to any mac-type ip,arp layer2 > >> ipfw add deny all from any to any layer2 > >>} > >> > >>countlog() { > >> ipfw add 400 count log all from any to any in > >> ipfw add 401 count log all from any to any out > >>} > >> > >>pipe() { > >> ipfw add pipe 1 all from any to 172.16.52.254/32 in > >> ipfw add pipe 2 all from 172.16.52.254/32 to any out > >> ipfw pipe 1 config bw 64Kbps queue 5 > >> ipfw pipe 2 config bw 64Kbps queue 5 > >>} > > > -- > Patrick Tracanelli From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 3 21:08:49 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2E0616A41F for ; Mon, 3 Oct 2005 21:08:49 +0000 (GMT) (envelope-from scuba@centroin.com.br) Received: from mdhost1.centroin.com.br (mdhost1.centroin.com.br [200.225.63.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E70A43D45 for ; Mon, 3 Oct 2005 21:08:47 +0000 (GMT) (envelope-from scuba@centroin.com.br) Received: from hypselo.centroin.com.br (hypselo.centroin.com.br [200.225.63.1]) by mdhost1.centroin.com.br (8.13.4/8.13.4/CIP SMTP HOST) with ESMTP id j93L8ioE072741 for ; Mon, 3 Oct 2005 18:08:44 -0300 (BRT) (envelope-from scuba@centroin.com.br) Date: Mon, 3 Oct 2005 18:09:06 -0300 (EST) From: Sender: To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Hits: 0.007 X-Scanned-By: MIMEDefang 2.52 on 200.225.63.205 Subject: ipfw: unrecognised option [-1] tcp X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 21:08:49 -0000 Hi all, =09I'm a bit confused here, please give me some light. =09My problem is that after the rule 190 (see them bellow) I get this error message: ipfw: unrecognised option [-1] tcp =09But it=B4s not only after 190, if I remove it the problem keeps. =09Here is the begining of my ipfw rules file #!bin/sh /sbin/ipfw -q -f flush cmd=3D"/sbin/ipfw -q add" pif=3D"fxp0" $cmd 00010 allow all from localhost to localhost via lo0 $cmd 00015 check-state $cmd 00100 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 p= rivate IP $cmd 00110 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 p= rivate IP $cmd 00120 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 = private IP $cmd 00130 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 00140 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 00150 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto= -config $cmd 00160 deny all from 192.0.2.0/24 to any in via $pif #reserved = for docs $cmd 00170 deny all from 204.152.64.0/23 to any in via $pif #Sun clust= er interconnect $cmd 00180 deny all from 224.0.0.0/3 to any in via $pif #Class D &= E multicast $cmd 00190 deny all from any to any frag in via $pif $cmd 00200 deny tcp from any to any established in via $pif $cmd 00210 allow tcp from me to any out via $pif setup keep-state uid root - Marcelo From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 3 22:16:28 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 572B216A443 for ; Mon, 3 Oct 2005 22:16:28 +0000 (GMT) (envelope-from nb_root@videotron.ca) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AFAB43D49 for ; Mon, 3 Oct 2005 22:16:27 +0000 (GMT) (envelope-from nb_root@videotron.ca) Received: from clk01a ([66.130.198.54]) by VL-MO-MR004.ip.videotron.ca (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0INT008P51VF7W30@VL-MO-MR004.ip.videotron.ca> for freebsd-ipfw@freebsd.org; Mon, 03 Oct 2005 18:16:27 -0400 (EDT) Date: Mon, 03 Oct 2005 18:16:16 -0400 From: Nicolas Blais To: freebsd-ipfw@freebsd.org Message-id: <200510031816.26658.nb_root@videotron.ca> MIME-version: 1.0 Content-type: multipart/signed; boundary=nextPart1772521.q7IQKDRMf0; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-transfer-encoding: 7bit User-Agent: KMail/1.8.2 Subject: Automatically add attacks to deny list? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 22:16:28 -0000 --nextPart1772521.q7IQKDRMf0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi, Whenever someone tries a portscan or http server vulnerability scan on my=20 system, I have to manually add their ip in my /etc/ipfw.conf file such as: add 100 deny all from xx.xxx.xxx.xxx to any Is there a way, without enabling blackhole, to dynamically add ips to my=20 blacklist after a certain packet/sec limit or some other way? Thanks, Nicolas. =2D-=20 =46reeBSD 7.0-CURRENT #0: Sat Oct 1 11:51:38 EDT 2005 =20 root@clk01a:/usr/obj/usr/src/sys/CLK01A=20 PGP? : http://www.clkroot.net/security/nb_root.asc --nextPart1772521.q7IQKDRMf0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDQa26z38ton5LGeIRAoShAJ953c/SFiptCjK7K1rdiM4s+JgKnQCeLiau yYqIdNmnzev3W/AZJDi3DVI= =o/K0 -----END PGP SIGNATURE----- --nextPart1772521.q7IQKDRMf0-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 3 22:27:00 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA54116A41F for ; Mon, 3 Oct 2005 22:27:00 +0000 (GMT) (envelope-from cdick@mail.ocis.net) Received: from mail.ocis.net (mail.ocis.net [209.52.173.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id B967243D45 for ; Mon, 3 Oct 2005 22:27:00 +0000 (GMT) (envelope-from cdick@mail.ocis.net) Received: from mail.ocis.net ([209.52.173.152]) by mail.ocis.net with esmtp (Exim 4.43) id 1EMYlh-0003RJ-Ju; Mon, 03 Oct 2005 15:26:48 -0700 Date: Mon, 3 Oct 2005 15:26:45 -0700 (PDT) From: Colin Dick To: Nicolas Blais In-Reply-To: <200510031816.26658.nb_root@videotron.ca> Message-ID: References: <200510031816.26658.nb_root@videotron.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org Subject: Re: Automatically add attacks to deny list? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Oct 2005 22:27:01 -0000 Hi all, There is a program called tcpsentry... doesn't it have the ability to do this? -- Colin On Mon, 3 Oct 2005, Nicolas Blais wrote: > Hi, > > Whenever someone tries a portscan or http server vulnerability scan on my > system, I have to manually add their ip in my /etc/ipfw.conf file such as: > add 100 deny all from xx.xxx.xxx.xxx to any > > Is there a way, without enabling blackhole, to dynamically add ips to my > blacklist after a certain packet/sec limit or some other way? > > Thanks, > Nicolas. > From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 4 01:19:03 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8817D16A41F for ; Tue, 4 Oct 2005 01:19:03 +0000 (GMT) (envelope-from on@cs.ait.ac.th) Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 865E343D45 for ; Tue, 4 Oct 2005 01:19:01 +0000 (GMT) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5]) by mail.cs.ait.ac.th (8.12.11/8.12.11) with ESMTP id j941GboN025884 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 4 Oct 2005 08:16:37 +0700 (ICT) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.13.1/8.12.11) id j941FmTm040763; Tue, 4 Oct 2005 08:15:48 +0700 (ICT) Date: Tue, 4 Oct 2005 08:15:48 +0700 (ICT) Message-Id: <200510040115.j941FmTm040763@banyan.cs.ait.ac.th> From: Olivier Nicole To: nb_root@videotron.ca In-reply-to: <200510031816.26658.nb_root@videotron.ca> (message from Nicolas Blais on Mon, 03 Oct 2005 18:16:16 -0400) References: <200510031816.26658.nb_root@videotron.ca> X-Virus-Scanned: on CSIM by amavisd-milter (http://www.amavis.org/) Cc: freebsd-ipfw@freebsd.org Subject: Re: Automatically add attacks to deny list? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2005 01:19:03 -0000 > Whenever someone tries a portscan or http server vulnerability scan on my=20 > system, I have to manually add their ip in my /etc/ipfw.conf file such as: > add 100 deny all from xx.xxx.xxx.xxx to any > > Is there a way, without enabling blackhole, to dynamically add ips to my=20 > blacklist after a certain packet/sec limit or some other way? I'd say that the problem is not to find how to do that, but to decide whether it is a good thing to automatically deny an IP. There must be some plugin to snort that do what you want, but the risk is either your filtering is too soft and you miss blocking some IP or too harsh and you block some legitimate traffic. Olivier From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 4 02:04:15 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D9F816A41F for ; Tue, 4 Oct 2005 02:04:15 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6DECD43D45 for ; Tue, 4 Oct 2005 02:04:13 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from anb.matik.com.br (anb.matik.com.br [200.152.83.34] (may be forged)) by msrv.matik.com.br (8.13.3/8.13.1) with ESMTP id j9424CxB011050 for ; Mon, 3 Oct 2005 23:04:13 -0300 (BRST) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Mon, 3 Oct 2005 23:03:47 -0300 User-Agent: KMail/1.8.2 References: <200510031816.26658.nb_root@videotron.ca> <200510040115.j941FmTm040763@banyan.cs.ait.ac.th> In-Reply-To: <200510040115.j941FmTm040763@banyan.cs.ait.ac.th> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200510032303.47805.asstec@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.86.2, clamav-milter version 0.86 on msrv.matik.com.br X-Virus-Status: Clean Subject: Re: Automatically add attacks to deny list? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2005 02:04:15 -0000 On Monday 03 October 2005 22:15, Olivier Nicole wrote: > > Whenever someone tries a portscan or http server vulnerability scan on > > my=3D20 system, I have to manually add their ip in my /etc/ipfw.conf fi= le > > such as: add 100 deny all from xx.xxx.xxx.xxx to any > > so why you would do that at all? you have time left, ok , valid .. first without carefull analysis you may not have the real IP in your logs second, why block the IP you do not know if you real block "the guy" third, why block him at all, you tell him, I fear you and you had success, = go=20 on fucking me ... ))) fourth, if your server do not stand a scan then you better stay at home= =20 playing mahjong ((( fifth, you better let the attacker get to your website to buy the things yo= u=20 sell there, only stupid people close the door of their shop ... but probably you digged big holes already at the entrance of your street so= =20 that nobody can pass through anymore ;) but hpefully yo hint: best and cheapest firewall ever is cutting the wire :) Jo=E3o A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 4 05:28:12 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DCA216A42A; Tue, 4 Oct 2005 05:28:12 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from mail.rdu.kirov.ru (ns.rdu.kirov.ru [217.9.151.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FE5743D45; Tue, 4 Oct 2005 05:28:10 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from kirov.so-cdu.ru (kirov [172.21.81.1]) by mail.rdu.kirov.ru (Postfix) with ESMTP id DDC13FEBB; Tue, 4 Oct 2005 09:28:08 +0400 (MSD) Received: from kirov.so-cdu.ru (localhost [127.0.0.1]) by rdu.kirov.ru (Postfix) with SMTP id CE25F15C8A; Tue, 4 Oct 2005 09:28:08 +0400 (MSD) Received: by rdu.kirov.ru (Postfix, from userid 1014) id 972CE15C88; Tue, 4 Oct 2005 09:28:08 +0400 (MSD) Received: from [172.21.81.52] (elsukov.kirov.so-cdu.ru [172.21.81.52]) by rdu.kirov.ru (Postfix) with ESMTP id 805FE15C82; Tue, 4 Oct 2005 09:28:08 +0400 (MSD) Message-ID: <434212E8.5050001@yandex.ru> Date: Tue, 04 Oct 2005 09:28:08 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.0.6 (FreeBSD/20050716) MIME-Version: 1.0 To: ipfw@freebsd.org References: <433A406B.3000300@yandex.ru> In-Reply-To: <433A406B.3000300@yandex.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: hackers@freebsd.org Subject: Re: nonprivileged access to ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bu7cher@yandex.ru List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2005 05:28:13 -0000 Andrey V. Elsukov wrote: > I want a nonprivileged access to ipfw (without sudo, suid and etc..). > But RAW sockets restrict this. I have an one idea - a pseudo device > /dev/ipfw. I think that realisation of this feature is not > difficult task. Now i have some questions. Thanks for more answers :) I has finished this. But i have one question, how to I should act with a dummynet code? Through a pseudo device /dev/ipfwctl we can control an ipfw state. The access to ipfwctl device can be configured via devfs.conf. User must have a write permissions to /dev/ipfwctl for change ipfw state and a read permissions for read ipfw state. Patch can be found here: http://butcher.heavennet.ru/ipfw_ioctl/ -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 4 10:24:53 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64BC816A42C for ; Tue, 4 Oct 2005 10:24:53 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from mail.rdu.kirov.ru (ns.rdu.kirov.ru [217.9.151.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id A810543D48 for ; Tue, 4 Oct 2005 10:24:46 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from kirov.so-cdu.ru (kirov [172.21.81.1]) by mail.rdu.kirov.ru (Postfix) with ESMTP id A7DB8FF82; Tue, 4 Oct 2005 14:24:44 +0400 (MSD) Received: from kirov.so-cdu.ru (localhost [127.0.0.1]) by rdu.kirov.ru (Postfix) with SMTP id 7ACE815C87; Tue, 4 Oct 2005 14:24:44 +0400 (MSD) Received: by rdu.kirov.ru (Postfix, from userid 1014) id 3F8A515C8A; Tue, 4 Oct 2005 14:24:44 +0400 (MSD) Received: from [172.21.81.52] (elsukov.kirov.so-cdu.ru [172.21.81.52]) by rdu.kirov.ru (Postfix) with ESMTP id 27FA315C86; Tue, 4 Oct 2005 14:24:44 +0400 (MSD) Message-ID: <4342586C.2000100@yandex.ru> Date: Tue, 04 Oct 2005 14:24:44 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.0.6 (FreeBSD/20050716) MIME-Version: 1.0 To: =?KOI8-R?Q?Arvinn_L=3Fkkebakken?= References: <433D1567.7020406@sandakerveien.net> In-Reply-To: <433D1567.7020406@sandakerveien.net> Content-Type: multipart/mixed; boundary="------------040704030508040006090903" Cc: freebsd-ipfw@freebsd.org Subject: Re: limited logging when using limit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bu7cher@yandex.ru List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2005 10:24:53 -0000 This is a multi-part message in MIME format. --------------040704030508040006090903 Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Arvinn wrote: > ipfw add pipe 5 log tcp from 200.0.0.0/7 to me dst-port 25 limit src-addr 2 > ipfw add allow log tcp from any to me dst-port 25 limit src-addr 10 > > All I get in syslog is: > Sep 30 11:14:40 hostname drop session, too many entries You can try this patch. ipfw will be logging a session drops like following: Oct 4 14:15:44 hostname kernel: ipfw: drop session, too many entries (by rule 200) -- WBR, Andrey V. Elsukov --------------040704030508040006090903 Content-Type: text/plain; name="netinet.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="netinet.diff" --- sys/netinet/ip_fw2.c.orig Mon Sep 13 11:21:17 2004 +++ sys/netinet/ip_fw2.c Tue Oct 4 14:18:51 2005 @@ -1090,7 +1090,8 @@ if (fw_verbose && last_log != time_second) { last_log = time_second; log(LOG_SECURITY | LOG_DEBUG, - "drop session, too many entries\n"); + "ipfw: drop session, too many entries (by rule %d)\n", + rule->rulenum); } return 1; } --------------040704030508040006090903-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 4 13:47:03 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 485E416A41F for ; Tue, 4 Oct 2005 13:47:03 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 36A0D43D46 for ; Tue, 4 Oct 2005 13:47:01 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 93344 invoked by uid 0); 4 Oct 2005 10:47:02 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (uvscan: v4.3.20/v4595. spamassassin: 2.64. Clear:RC:1(201.17.165.38):. Processed in 0.424622 secs); 04 Oct 2005 13:47:02 -0000 Received: from unknown (HELO ?10.69.69.69?) (201.17.165.38) by capeta.freebsdbrasil.com.br with SMTP; 4 Oct 2005 10:47:02 -0300 Message-ID: <434287CC.5000202@freebsdbrasil.com.br> Date: Tue, 04 Oct 2005 10:46:52 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050420 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipfw@freebsd.org References: <4341575C.8080409@freebsdbrasil.com.br> <20051003091024.A92958@xorpc.icir.org> <43415BFB.1050800@freebsdbrasil.com.br> <20051003093801.B92958@xorpc.icir.org> In-Reply-To: <20051003093801.B92958@xorpc.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: layer2 filtering and dummynet, bw reduced by half X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2005 13:47:03 -0000 Luigi Rizzo wrote: > see the ipfw manpage near the eginning with the graph > showing the packet flow. > > "layer2" means the rule matches only on layer2. > "not layer2" matches only on layer 3. > if you don't put anything, it matches both layer2 and layer3. > > luigi Rizzo, Thank you a lot for clearing it up. I tried with pipes and queues and explicitly enforcing only layer3 did the work. Very good, thanks. -- Patrick Tracanelli From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 4 21:54:04 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FAF316A41F for ; Tue, 4 Oct 2005 21:54:04 +0000 (GMT) (envelope-from rhajduk@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1E1E43D5E for ; Tue, 4 Oct 2005 21:54:03 +0000 (GMT) (envelope-from rhajduk@gmail.com) Received: by zproxy.gmail.com with SMTP id z31so9535nzd for ; Tue, 04 Oct 2005 14:54:02 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=dqvXHdSuWfhZwXKz1eCAGTTmoaQCjXn3gQKOrOcXwGyyUcOrXqjDLJnSd5vE3Lrzg+O8YZB6Q2dtoIMw3oByxgsjSt1tyBzIGTZoXm8iSxZC++OpuE0thBkuSDITIhLFinymjAbtnigEcAUrV7xt9SrrGnUl54z0OhGHFd70jgE= Received: by 10.36.146.17 with SMTP id t17mr57865nzd; Tue, 04 Oct 2005 14:54:02 -0700 (PDT) Received: by 10.37.15.74 with HTTP; Tue, 4 Oct 2005 14:54:02 -0700 (PDT) Message-ID: Date: Tue, 4 Oct 2005 23:54:02 +0200 From: Remigiusz Hajduk To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: [PATCH] log + MAC X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Remigiusz Hajduk List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2005 21:54:04 -0000 I added MAC address logging facility. I think that it is useful and should be committed to CURRENT. $FreeBSD: src/sys/netinet/ip_fw2.c,v 1.70.2.14 2005/06/29 21:38:48 simon Ex= p $ --- sys/netinet/ip_fw2.c.orig Tue Oct 4 22:54:31 2005 +++ sys/netinet/ip_fw2.c Tue Oct 4 23:04:31 2005 @@ -665,7 +665,25 @@ ipfw_log(struct ip_fw *f, u_int hlen, st } if (hlen =3D=3D 0) { /* non-ip */ - snprintf(SNPARGS(proto, 0), "MAC"); + int len, i; + u_char *ptr; + + len =3D snprintf(SNPARGS(proto, 0), "MAC "); + + i =3D ETHER_ADDR_LEN; + ptr =3D eh->ether_dhost; + + do { + len +=3D snprintf(SNPARGS(proto, len), "%s%02x", (i=3D=3DETHER_ADDR_LEN) ? "" : ":", *ptr++); + } while(--i > 0); + + i =3D ETHER_ADDR_LEN; + ptr =3D eh->ether_shost; + len +=3D snprintf(SNPARGS(proto, len), " "); + do { + len +=3D snprintf(SNPARGS(proto, len), "%s%02x", (i=3D=3DETHER_ADDR_LEN) ? "" : ":", *ptr++); + } while(--i > 0); + } else { struct ip *ip =3D mtod(m, struct ip *); /* these three are all aliases to the same thing */ -- Remigiusz Hajduk From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 5 08:51:13 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0681916A41F for ; Wed, 5 Oct 2005 08:51:13 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2561743D48 for ; Wed, 5 Oct 2005 08:51:11 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: by qproxy.gmail.com with SMTP id a39so145513qbd for ; Wed, 05 Oct 2005 01:51:11 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references; b=EKPLyzFzg6+L4E/+F6ul/g7nxFSav1TWyyFfhE4FxOxycfzG6R+yTqUjDzb0505BnHcsQsp+Zq9gN70lMxdbBh4xMqrafj377iSbsF3P2wrhXlr1OHWaC8kQ6uJ8qbclEt5TgevuwpxKHisOAKaetouO8culXetM9PrT7U0d/Tw= Received: by 10.65.150.10 with SMTP id c10mr3302075qbo; Tue, 04 Oct 2005 13:04:03 -0700 (PDT) Received: by 10.65.95.18 with HTTP; Tue, 4 Oct 2005 13:04:03 -0700 (PDT) Message-ID: <680ac8470510041304o20e8627ap@mail.gmail.com> Date: Tue, 4 Oct 2005 15:04:03 -0500 From: Hugo Osorio To: ipfw@freebsd.org, freebsd-ipfw@freebsd.org In-Reply-To: <680ac847050926064125be4e0@mail.gmail.com> MIME-Version: 1.0 References: <680ac84705082407576dd2f6b4@mail.gmail.com> <20050825084039.GH659@obiwan.tataz.chchile.org> <680ac84705082507486347b67@mail.gmail.com> <680ac847050922171856ed2904@mail.gmail.com> <43334E81.9080707@mac.com> <680ac84705092309007d69b088@mail.gmail.com> <43342E8E.6060004@mac.com> <680ac847050926064125be4e0@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: mime contents thru ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hugo Osorio List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 08:51:13 -0000 I HAVE WRITTEN ipfw add pass tcp from 172.24.33.0/24 to myproxy 80 INSTEAD OF ipfw add pass tcp from 172.24.33.0/24 to myproxy 80 keep-state and it has worked... that was the solution i was looking for months ago. :(( 2005/9/26, Hugo Osorio : > > I have seen that "open rule" is insecure, and i wouldn't like to use it..= . > i want to continue trying to find the closed port, with this policy... th= ere > must be something somewhere... so... i will continue bothering. sorry i a= m a > beginner, here are some conversations in the past that weren't submitted = to > the group. > ------------------ > Proxy is an cache server. If u dont need , not use. If u want to use > proxy for caching web traffic and force this traffic throught proxy,u can > do that with fwd option in ipfw > example: > ipfw fwd $ip_proxy,$port_proxy tcp from not me to any 80 in via > $private_interface > > This not affect in any way functionality for mail aplication (that > work in case of pop3 with 25 respectively 110 ports). > If u acces mail via web, this work well with proxy. > If still have problem, i'm sure is because configuration of proxy > (think use squid). I this case u need some options to permit > "connect" method. I dont remember now how look exactly. > ---------------------- > I have done this.. at the command line, > > ipfw add fwd 172.25.1.5 ,80 tcp from not me to any 80 > in via vr0 > 04200 fwd 172.25.1.5 ,80 tcp from not me to any 80 in > recv vr0 > > also > > ipfw add fwd 172.2X.X.X,80 tcp from 17X.XX.XX.0/24 to any 80 in via vr0 > > nothing happens.. i do see traffic, but very little.. > > this should refresh it ? i mean, this rule is active immediately? because > i can not do attachments yet.. not even showing my message list in yahoo.= . (http://e1.f405.mail.yahoo.com/ym/ShowFolder?YY=3D29820&box=3DInbox&YN=3D= 1 > ) > > Proxy is Proxy server 2.0 microsoft, > > I have unset the firewall, and i have plugged the router directly to the > switch.. and all is fine, so i am almost sure the hassle is in the fw, > > thx > --------------------------------------------- > I have two proxies available, and in the machine where i have the fw ther= e > are routes created, for routing one proxy or another... 172.25.x.x or > 172.24.x.x > > with the .24.x.x proxy dont have any hassle.. > but i do with the 25.x.x > > >You have to redirect the whole HTTP traffic to the proxy, or nothing. > >You can't decide on layer 7 content. > > what do you recommend me to do first? > ---------------------------------------------- > > > 2005/9/23, Chuck Swiger : > > > > Hugo Osorio wrote: > > > gracias, > > > > > > our (172.24.33.0 ) LAN goes > > to internet through two > > > proxies, the new proxy which is the one i am trying to set up, is in > > another > > > network we have set routes to that LAN, (172.25.1.0< > > http://172.25.1.0>) > > > > OK. > > > > > -is it inappropriate to put these address here? i hope not :s > > > > No. I was confused by the "" strings, which someone > > said > > may be something to do with gmail.com . > > > > > in order to be protected, we have set a firewall in this way: > > > > > > LAN(172.24.33.0 ) --> SWITCH > > --> fw --> Router( > > > 172.25.19.X) --> proxy( 172.25.1.5 < > > http://172.25.1.5>) > > > > OK. You should start by testing access through the proxy server when > > logged > > onto your firewall box. If that doesn't work, debug your router or your > > network routes. > > > > > i have the other conf (using another proxy, another network) without > > the > > > string 'http://' and it works, and transfer everything. > > > and besides, using the new proxy, without the 'http://' string, it > > shows > > > bytes activity in 'ipfw show', i mean i can enter sites. > > > > > > For using "open firewall ruleset" do you have any basic document? > > > > > > another hint or help, will be appreciated, thank you. > > > > Look at /etc/rc.firewall and the "open" ruleset there. > > > > See: > > > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.htm= l > > > > > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf= w.html > > > > ...which i!=3Du=19ailable translated to other languages, also. > > > > -- > > -Chuck > > > > > From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 5 09:03:24 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E967616A41F for ; Wed, 5 Oct 2005 09:03:24 +0000 (GMT) (envelope-from arvinn@sandakerveien.net) Received: from monday.timeplanen.no (monday.timeplanen.no [212.71.68.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BA3F43D45 for ; Wed, 5 Oct 2005 09:03:24 +0000 (GMT) (envelope-from arvinn@sandakerveien.net) Received: from [139.105.137.157] (unknown [139.105.137.157]) by monday.timeplanen.no (Postfix) with ESMTP id 9AFAE269; Wed, 5 Oct 2005 11:03:04 +0200 (CEST) Message-ID: <434396C7.1000306@sandakerveien.net> Date: Wed, 05 Oct 2005 11:03:03 +0200 From: =?UTF-8?B?QXJ2aW5uIEzDuGtrZWJha2tlbg==?= User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: bu7cher@yandex.ru, freebsd-ipfw@freebsd.org. References: <433D1567.7020406@sandakerveien.net> <4342586C.2000100@yandex.ru> In-Reply-To: <4342586C.2000100@yandex.ru> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: limited logging when using limit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 09:03:25 -0000 Andrey V. Elsukov wrote: > Arvinn wrote: > >> ipfw add pipe 5 log tcp from 200.0.0.0/7 to me dst-port 25 limit >> src-addr 2 >> ipfw add allow log tcp from any to me dst-port 25 limit src-addr 10 >> >> All I get in syslog is: >> Sep 30 11:14:40 hostname drop session, too many entries > > > You can try this patch. ipfw will be logging a session drops like > following: > > Oct 4 14:15:44 hostname kernel: ipfw: drop session, too many entries > (by rule 200) Thank you very much. The patch worked like a charm. Is there any easy way to add src-ip/port and dst-ip/port too though? Arvinn From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 5 11:47:11 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2239416A41F for ; Wed, 5 Oct 2005 11:47:11 +0000 (GMT) (envelope-from andreas@syndrom23.de) Received: from vs159088.vserver.de (syndrom23.de [62.75.159.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 877AE43D48 for ; Wed, 5 Oct 2005 11:47:10 +0000 (GMT) (envelope-from andreas@syndrom23.de) Received: from klamath ([212.204.44.203]) (authenticated bits=0) by vs159088.vserver.de (8.12.8/8.12.8) with ESMTP id j95Bl6ca017890 for ; Wed, 5 Oct 2005 13:47:06 +0200 From: Andreas Kohn To: freebsd-ipfw@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-quxBrrc/gEwp7wBKsCbI" Date: Wed, 05 Oct 2005 13:47:05 +0200 Message-Id: <1128512825.1052.27.camel@klamath.syndrom23.de> Mime-Version: 1.0 X-Mailer: Evolution 2.4.1 FreeBSD GNOME Team Port Subject: ipfw2 and ipv6 - strange things happening X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 11:47:11 -0000 --=-quxBrrc/gEwp7wBKsCbI Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, I'm in the process of refining my ipfw(2) rules.=20 The strangeness is that I am apparently unable to filter certain ipv6 traffic correctly: # ipfw add 1650 pass proto 41 via rl0 01650 allow ip from any to any via rl0 # ipfw -c list 1650 01650 allow via rl0 This should have been "allow proto 41 via rl0", no? An overview of what I'd like to accomplish: [LAN, using IPv4 192.168.0.0/16, and IPv6]=20 | | vr0: 192.168.0.1 router rl0: 212.204.44.203, gif0, stf0 | | [internet] The router is the ipfw machine, currently running FreeBSD 7.0-CURRENT #35: Sun Oct 2 14:16:27 CEST 2005 The router has a few interfaces: rl0 - Outside interface to the cable modem vr0 - Inside interface to the lan gif0 - SixXS IPv6 tunnel 00050 divert 8668 via rl0 [using natd for IPv4] 00100 allow via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any [standard localhost rules] 00400 allow not via rl0 [allow any traffic floating around in the local net] 00500 deny dst-port 135,139,445 recv rl0 [kill some windows traffic from the internet early] 00600 allow tcp from any to any established 00700 allow frag [allow anything which originated from here, and frags] 00800 allow proto icmp [allow any kind of icmp] 00900 allow tcp from 212.204.44.203 to any setup 01000 allow tcp from 192.168.0.0/16 to any setup [allow any ipv4 originating from here] 01100 allow tcp from any to me dst-port 22,80,8180 [allow services] 01200 deny log tcp from any to any setup [log and drop excess traffic] 01300 allow udp from 212.204.44.203 to any dst-port 53 keep-state 01400 allow udp from 212.204.44.203 to any dst-port 123 keep-state [dns, ntp] 01500 allow ip from any to 212.224.0.188 01600 allow ip from 212.224.0.188 to me [SixXS tunnel, see below] 01700 reset log ip from any to any 65535 deny ip from any to any That works, more less.=20 Rules 1500 and 1600 were originally written as "allow proto 41 via rl0", to catch any and all encapsulated ipv6 traffic. I assumed from reading that the ipv6-in-ipv4 packets run at least twice through the firewall, the first time as ipv4 packet, and the second time as ipv6 packets? 212.224.0.188 is deham01.sixxs.net, my SixXS tunnel endpoint. Now, I would like to add a 6to4 interface, and with that I can no longer use the "workaround" of filtering by the tunnel endpoint, because the endpoint can be potentially any and all ipv4 address in the world. Enable verbose mode, I see=20 1700 Reset P:41 139.30.130.13 212.204.44.203 in via rl0=20 in /var/log/security, which I can associate with the ping6 I started on=20 2002:8b1e:820d::1. I see exactly the same "Reset P:41" for the SixXS tunnel if I remove rules 1500+1600. But from looking at the above ipfw list output, I cannot filter these P:41 packets by their P:41. So for the short final questions: a) should pass proto 41 via rl0 do what I expect? Allow encapsulated ipv6 traffic? Is just the displaying of the rule a little broken/misleading? b) How would I filter 6to4 traffic so that the encapsulated packets are passed through, and afterwards filtered as regular ipv6 traffic?=20 I would be nice if you had any pointers to things I'm missing here. Best regards, Andreas --=20 aha!!! du hast 1111111eineinselfelf vergessen die elf ist overrated. --=-quxBrrc/gEwp7wBKsCbI Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBDQ705Yucd7Ow1ygwRAoMIAJ0T3sU5lFJMOEDrZCkWKpSJMMKfMQCferXp qz1cxJ4i+YLfoO+Jn7gK9U0= =R/JZ -----END PGP SIGNATURE----- --=-quxBrrc/gEwp7wBKsCbI-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 5 13:39:06 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA58616A420 for ; Wed, 5 Oct 2005 13:39:06 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0743943D48 for ; Wed, 5 Oct 2005 13:39:05 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: by qproxy.gmail.com with SMTP id a39so198797qbd for ; Wed, 05 Oct 2005 06:39:05 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references; b=EKPLyzFzg6+L4E/+F6ul/g7nxFSav1TWyyFfhE4FxOxycfzG6R+yTqUjDzb0505BnHcsQsp+Zq9gN70lMxdbBh4xMqrafj377iSbsF3P2wrhXlr1OHWaC8kQ6uJ8qbclEt5TgevuwpxKHisOAKaetouO8culXetM9PrT7U0d/Tw= Received: by 10.65.150.10 with SMTP id c10mr3302075qbo; Tue, 04 Oct 2005 13:04:03 -0700 (PDT) Received: by 10.65.95.18 with HTTP; Tue, 4 Oct 2005 13:04:03 -0700 (PDT) Message-ID: <680ac8470510041304o20e8627ap@mail.gmail.com> Date: Tue, 4 Oct 2005 15:04:03 -0500 From: Hugo Osorio To: ipfw@freebsd.org, freebsd-ipfw@freebsd.org In-Reply-To: <680ac847050926064125be4e0@mail.gmail.com> MIME-Version: 1.0 References: <680ac84705082407576dd2f6b4@mail.gmail.com> <20050825084039.GH659@obiwan.tataz.chchile.org> <680ac84705082507486347b67@mail.gmail.com> <680ac847050922171856ed2904@mail.gmail.com> <43334E81.9080707@mac.com> <680ac84705092309007d69b088@mail.gmail.com> <43342E8E.6060004@mac.com> <680ac847050926064125be4e0@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: mime contents thru ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hugo Osorio List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 13:39:06 -0000 I HAVE WRITTEN ipfw add pass tcp from 172.24.33.0/24 to myproxy 80 INSTEAD OF ipfw add pass tcp from 172.24.33.0/24 to myproxy 80 keep-state and it has worked... that was the solution i was looking for months ago. :(( 2005/9/26, Hugo Osorio : > > I have seen that "open rule" is insecure, and i wouldn't like to use it..= . > i want to continue trying to find the closed port, with this policy... th= ere > must be something somewhere... so... i will continue bothering. sorry i a= m a > beginner, here are some conversations in the past that weren't submitted = to > the group. > ------------------ > Proxy is an cache server. If u dont need , not use. If u want to use > proxy for caching web traffic and force this traffic throught proxy,u can > do that with fwd option in ipfw > example: > ipfw fwd $ip_proxy,$port_proxy tcp from not me to any 80 in via > $private_interface > > This not affect in any way functionality for mail aplication (that > work in case of pop3 with 25 respectively 110 ports). > If u acces mail via web, this work well with proxy. > If still have problem, i'm sure is because configuration of proxy > (think use squid). I this case u need some options to permit > "connect" method. I dont remember now how look exactly. > ---------------------- > I have done this.. at the command line, > > ipfw add fwd 172.25.1.5 ,80 tcp from not me to any 80 > in via vr0 > 04200 fwd 172.25.1.5 ,80 tcp from not me to any 80 in > recv vr0 > > also > > ipfw add fwd 172.2X.X.X,80 tcp from 17X.XX.XX.0/24 to any 80 in via vr0 > > nothing happens.. i do see traffic, but very little.. > > this should refresh it ? i mean, this rule is active immediately? because > i can not do attachments yet.. not even showing my message list in yahoo.= . (http://e1.f405.mail.yahoo.com/ym/ShowFolder?YY=3D29820&box=3DInbox&YN=3D= 1 > ) > > Proxy is Proxy server 2.0 microsoft, > > I have unset the firewall, and i have plugged the router directly to the > switch.. and all is fine, so i am almost sure the hassle is in the fw, > > thx > --------------------------------------------- > I have two proxies available, and in the machine where i have the fw ther= e > are routes created, for routing one proxy or another... 172.25.x.x or > 172.24.x.x > > with the .24.x.x proxy dont have any hassle.. > but i do with the 25.x.x > > >You have to redirect the whole HTTP traffic to the proxy, or nothing. > >You can't decide on layer 7 content. > > what do you recommend me to do first? > ---------------------------------------------- > > > 2005/9/23, Chuck Swiger : > > > > Hugo Osorio wrote: > > > gracias, > > > > > > our (172.24.33.0 ) LAN goes > > to internet through two > > > proxies, the new proxy which is the one i am trying to set up, is in > > another > > > network we have set routes to that LAN, (172.25.1.0< > > http://172.25.1.0>) > > > > OK. > > > > > -is it inappropriate to put these address here? i hope not :s > > > > No. I was confused by the "" strings, which someone > > said > > may be something to do with gmail.com . > > > > > in order to be protected, we have set a firewall in this way: > > > > > > LAN(172.24.33.0 ) --> SWITCH > > --> fw --> Router( > > > 172.25.19.X) --> proxy( 172.25.1.5 < > > http://172.25.1.5>) > > > > OK. You should start by testing access through the proxy server when > > logged > > onto your firewall box. If that doesn't work, debug your router or your > > network routes. > > > > > i have the other conf (using another proxy, another network) without > > the > > > string 'http://' and it works, and transfer everything. > > > and besides, using the new proxy, without the 'http://' string, it > > shows > > > bytes activity in 'ipfw show', i mean i can enter sites. > > > > > > For using "open firewall ruleset" do you have any basic document? > > > > > > another hint or help, will be appreciated, thank you. > > > > Look at /etc/rc.firewall and the "open" ruleset there. > > > > See: > > > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.htm= l > > > > > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf= w.html > > > > ...which i!=3Du=19ailable translated to other languages, also. > > > > -- > > -Chuck > > > > > From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 6 08:18:39 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D9BC16A41F; Thu, 6 Oct 2005 08:18:39 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id DDC6843D6B; Thu, 6 Oct 2005 08:18:27 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id 5C4D17034; Thu, 6 Oct 2005 10:06:36 +0200 (CEST) Received: from (66.110.35.16 [66.110.35.16]) by MailEnable Inbound Mail Agent with ESMTP; Thu, 06 Oct 2005 10:23:48 +0200 Received: from 127.0.0.1 (AVG SMTP 7.0.344 [267.11.10]); Thu, 06 Oct 2005 10:18:47 +0200 Message-ID: <4344DDE5.1070301@roamingsolutions.net> Date: Thu, 06 Oct 2005 10:18:45 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD , FreeBSD Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: 2 uplinks with bandwidth management, load splitting and fail-over. Working X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2005 08:18:39 -0000 Greetings, 2 uplinks with bandwidth management, load splitting and fail-over. Working For those interested in an alternate method of doing the same thing - here are some basics. You could probably modify the script rules and sets to do crude load balancing between the lines too - but more of that later. The Setup: FreeBSD 5.4 - Stable ipfw, natd, natd2, ng_one2many, squid, jftpgw. 2 dsl links to the internet. 3 network cards ( 1 per dsl modem, 1 for lan) Learning curve: After much reading and testing, I found that the way to use both dsl lines was to use ipfw prob, ipfw fwd, and divert to seperate natd 's. Basically: a natd with alias_address associated with each of the boxes external ip's. ipfw rules as follows: #------------------------ route add default $ext_gw1 <--snip--> ipfw add allow ip from any to any via $int_if ipfw add divert natd1 ip from any to $ext_ip1 in ipfw add divert natd2 ip from any to $ext_ip2 in # Simple version ipfw add skipto 8000 ip from $lan to any out ipfw add allow ip from any to $lan in ipfw add 8000 prob 0.5 skipto 8500 ip from any to any out ipfw add 8100 divert natd1 ip from any to any out ipfw add 8200 allow ip from $ext_ip1 to any out ipfw add 8500 divert natd2 ip from any to any out ipfw add 8600 fwd $ext_gw2 ip from $ext_ip2 to any out ipfw add deny ip from any to any out #------------------------ This didn't work for 2 reasons. Packets exiting with a fwd command to ext_gw2 didn't get to exit the correct interface as routed had already set them up to exit via the default route. Second reason was that tcp sessions really like all sequenced packets, and ack replies to come from the same source it started talking with initially. The keep-state unfortunately only creates a dynamic rule using ip and port for source and destination, and the interface. This does not help as I would like the rule to remember which packets to skipto 8500 (same as before) - but the keep-state (dynamic rule for that session) seems to think it's a free-for-all and only sees it as an allow rule, to send the packets directly out. This doesn't help as the packets have not yet been natted, and so exit with a private source ip (up, up and away - never to be seen again). Current (dirty) working Solution: rc.conf: (relevant entries) hostname="fw.xx.yy.zz" # Configure the internal network ifconfig_vr0="inet 192.168.1.1 netmask 255.255.255.0" # Configure the external networks (connected to the internet) ifconfig_rl0="inet 192.168.8.70 netmask 255.255.255.0" ifconfig_rl0_alias0="inet 192.168.0.99 netmask 255.255.255.0" defaultrouter="192.168.8.1" # - Enabling the FreeBSD Firewall gateway_enable="YES" firewall_enable="YES" firewall_script="/etc/ipfw.rules" firewall_logging="YES" # Enabling natd for the 2 external interfaces natd_enable="YES" natd_flags="-f /etc/natd1.conf" # Remember to specify the natd2 port in /etc/services # To start this, the easiest way is to cp /etc/rc.d/natd /usr/local/etc/rc.d/natd2.sh and then edit it. natd2_enable="YES" natd2_flags="-f /etc/natd2.conf" #Enable the proxy server squid_enable="YES" # Sync server time from internet ntpd_enable="YES" ntpd_flags="-c /etc/ntp.conf" # Bandwidth monitoring with html graphs bandwidthd_enable="YES" # jftpgw ftp proxy for anonymous ftp proxy-cache jftpgw_enable="YES" # Load the script to hook the two external nic's together # Add the actual script file to /usr/local/etc/rc.d/netmon1.sh netmon1_enable="YES" I found the fwd command in the above ipfw rules wasn't working for me - even tried different network cards, but the packets still didn't exit the correct interface correctly. So I decided to try force them out whether they liked it or not. (Hence the dirty part - as you will see) Used ng_one2many to hookboth external nic's onto the first one, and configured it for "transmit all." i.e. all packets leaving interface0 get forced out of interface1 as well. Just ran a script at startup to get this setup: (Yes I know it can be done a lot better - for now it works!!!) #---------------------------- #!/bin/sh # Load the kernel modules kldload ng_ether kldload ng_one2many ifconfig rl0 down ifconfig rl1 down # Plumb nodes together ngctl mkpeer rl0: one2many upper one ngctl connect rl0: rl0:upper lower many0 ngctl connect rl1: rl0:upper lower many1 # Allow rl1 to xmit / recv rl0 frames ifconfig rl1 promisc ngctl msg rl1: setautosrc 0 # Configure to transmit to all interfaces ngctl msg rl0:upper setconfig "{xmitAlg=2 failAlg=1 enabledLinks =[ 1 1 ] }" echo "Now up the interfaces again" ifconfig rl0 up ifconfig rl1 up ifconfig rl0 inet 192.168.8.70 netmask 255.255.255.0 ifconfig rl0 inet 192.168.0.99 netmask 255.255.255.0 alias Make sure the default route is correct. route delete default route add default 192.168.0.1 echo "Done" #---------------------------- Weird thing was that using default route 192.168.8.1 (via the interface directly linked to $ext_if1) didn't work. It was only when I tried with the default route set to $ext_gw2 that everything started working. Still figuring that one, but reckon it was prayers that give God the honours here. ipfw rules: #!/bin/sh ################ Start of IPFW rules file ############################### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" bwm="ipfw -q pipe" skip="skipto 8000" ext_if1="rl0" # public interface name of NIC ext_if2="rl0" lan="192.168.1.0/24" int_if="vr0" # private interface name of NIC ext_ip1="192.168.8.70" ext_ip2="192.168.0.99" ext_gw1="192.168.8.1" ext_gw2="192.168.0.1" # Setup the different Sets to be used for different connection options ipfw -q set disable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 # Initially enable set 1 and 2 and 12 assuming we have 2 WAN links up and working ipfw -q set enable 1 2 12 # Specify which ip addresses get what bandwidth # Can also tell this dhcp server to give certain addresses to selected mac # addresses in file /usr/local/etc/dhcpd.conf u512k="" # Users given 512kb/s link u256k="192.168.1.0/24{2-254}" # Users given 256kb/s link u128k="" # Users given 128kb/s link u64k="" # Users given 64kb/s link # squid and jftpgw have to be configured seperately to provide the same # bandwidth management as what is configured here. See their config/man pages. # Check and drop packets that are appearing to come from # the destination LAN i.e. a spoofed source ip address $cmd deny ip from any to any not antispoof in # No restrictions on Loopback Interface # Protect spoofing to localhost $cmd allow ip from any to any via lo0 $cmd deny ip from any to 127.0.0.0/8 $cmd deny ip from 127.0.0.0/8 to any # check if packet is inbound and nat address if it is $cmd 1000 divert natd1 ip from any to $ext_ip1 in $cmd 1000 divert natd2 ip from any to $ext_ip2 in # Divert incoming http and ftp traffic to the proxy (squid and jftpgw) $cmd fwd 192.168.1.1,3128 tcp from $lan to any 80 in via $int_if $cmd fwd 192.168.1.1,2370 tcp from $lan to any 21 via $int_if # Allow the rest of the LAN traffic in and out $cmd allow ip from any to any via $int_if ################ Bandwidth Management ############################ # Setup up pipes for each of the user groups # Users with 512Kb / 256Kb access (in / out) $cmd pipe 10 ip from any to $u512k in via $ext_if1 $cmd pipe 11 ip from $u512k to any out via $ext_if1 $bwm 10 config mask dst-ip 0x000000ff bw 512Kbit/s queue 4KBytes $bwm 11 config mask src-ip 0x000000ff bw 256Kbit/s queue 3KBytes # Users with 256Kb / 128Kb access $cmd pipe 20 ip from any to $u256k in via $ext_if1 $cmd pipe 21 ip from $u256k to any out via $ext_if1 $bwm 20 config mask dst-ip 0x000000ff bw 256Kbit/s queue 4KBytes $bwm 21 config mask src-ip 0x000000ff bw 128Kbit/s queue 3KBytes # Users with 128Kb / 64Kb access $cmd pipe 30 ip from any to $u128k in via $ext_if1 $cmd pipe 31 ip from $u128k to any out via $ext_if1 $bwm 30 config mask dst-ip 0x000000ff bw 128Kbit/s queue 4KBytes $bwm 31 config mask src-ip 0x000000ff bw 64Kbit/s queue 3KBytes # Users with 64Kb / 56Kb access $cmd pipe 40 ip from any to $u64k in via $ext_if1 $cmd pipe 41 ip from $u64k to any out via $ext_if1 $bwm 40 config mask dst-ip 0x000000ff bw 64Kbit/s queue 3KBytes $bwm 41 config mask src-ip 0x000000ff bw 56Kbit/s queue 2KBytes ################################################################# # Interface facing Public Internet (Outbound Section) # Allow out access to my ISP's Domain name server. # Get the IP addresses from /etc/resolv.conf file #$cmd $skip UDP from any to { 196.7.0.138 or 196.28.86.2 or 196.28.86.3 or 196.25.1.1 } 53 out $cmd $skip UDP from any to any 53 out # Allow this box out access to my ISP's DHCP server (or adsl router) $cmd $skip udp from me to any 67 out # Allow skype connections out # Allow ntp time server out $cmd $skip UDP from any to any 80,443,123,1024-65535 out $cmd $skip UDP from any 80,443,1024-65535 to any out $cmd $skip tcp from any 1024-65535 to any 1024-65535 out # Allow out non-secure standard www function - via proxy $cmd $skip tcp from me to any 80 # Allow out secure www function https over TLS SSL # Allow out send & get email function (GMail uses ports 587, 995) # Allow out MSN messenger # Allow out Time, nntp news (i.e. news groups), # SSH (secure FTP, Telnet, and SCP), whois $cmd $skip tcp from any to any 443,25,110,587,995,1863,37,119,22,43 out # Allow out regular http and ftp access (for if proxy and fwd cmd's above are off) $cmd $skip tcp from $lan 1024-65535 to any 20,21,80 out # Allow out ping $cmd $skip icmp from $lan to any out icmptypes 8 $cmd allow icmp from me to 192.168.0.0/16 out icmptypes 8 $cmd allow icmp from $ext_ip1,$ext_ip2 to any out icmptypes 8 # Allow www and ftp proxy out $cmd $skip tcp from me to any 20,21,80 out uid squid # Allow out FreeBSD (make install & CVSUP) functions # Give user root "GOD" privileges. $cmd allow ip from me to any out uid root # Deny the rest out $cmd deny log ip from any to any out ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. # Deny all inbound traffic from non-routable reserved address spaces #$cmd 300 deny all from 192.168.0.0/16 to any in via $ext_if1 #RFC 1918 private IP $cmd deny all from 172.16.0.0/12,10.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3 to any in #RFC 1918 private IP #DHCP auto-config #reserved for docs #Sun cluster #Class D & E multicast # Deny ident # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd deny all from any to any 113,137,138,139,81 in # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP's DHCP server as it's the only # authorized source to send this packet type. $cmd allow udp from 192.168.8.1,192.168.0.1 to any 68,5678 in # Allow dns lookups back in $cmd allow udp from any 53,67 to $lan in $cmd allow udp from any 53,67 to me in # Allow skype connections in $cmd allow udp from any 80,123,443,1024-655353 to $lan in $cmd allow udp from any to $lan 80,443,1024-655353 in $cmd deny log udp from any to any in # Deny the rest $cmd allow tcp from any 1024-65535 to $lan 1024-65535 in # Allow in SecureFTP and SSH from public Internet $cmd allow tcp from { 192.168.0.0/24 or $lan or 192.168.8.0/24 } to me 22 in #setup limit src-addr 3 $cmd allow tcp from any to me 22 in setup limit src-addr 1 # Allow in standard www function because I have Apache server - or is there an internal webserver? # Allow Webmin connections from close-by $cmd allow tcp from { 192.168.8.0/24 or 192.168.0.0/24 } to me 80,10000 in $cmd allow tcp from any to $lan 80,10000 in # Allow outgoing web traffic (via proxy) back in $cmd allow tcp from any 20,21,80 to me 1024-65535 in # Deny the rest to me $cmd deny log tcp from any to me in # Allow out regular ftp, http access if proxy is off $cmd allow tcp from any 20,21,80 to $lan 1024-65535 in # Allow in secure www function https over TLS SSL # Allow in send & get email function (GMail uses ports 587, 995) # Allow in MSN messenger # Allow in Time, nntp news (i.e. news groups), # SSH (secure FTP, Telnet, and SCP), whois $cmd allow tcp from any 443,25,110,587,995,1863,37,119,22,43 to any in #Allow in ICMP (ping) from public networks close by only. $cmd allow icmp from 192.168.0.0/16 to me in icmptypes 0,3,11 $cmd allow icmp from any to $lan in icmptypes 0,3,11 # Used for testing network connections $cmd allow icmp from 196.7.0.138,196.25.1.1,196.4.160.7 to me in icmptypes 0,3,11 #Deny the rest $cmd deny icmp from any to any in # Reject & Log all unauthorized incoming connections from the public Internet (/var/log/security) $cmd deny log all from any to any in # This is skipto location for outbound stateful rules $cmd 8000 skipto 9000 tcp from any to any out setup $cmd 8010 skipto 9000 udp from any to any out $cmd 8020 skipto 9000 icmp from any to any out $cmd 8100 tee natd1 ip from any to any out $cmd 8150 check-state $cmd 8200 divert natd2 ip from any to any out $cmd 8250 check-state $cmd 8400 deny ip from any to any out $cmd 9000 set 12 prob 0.5 skipto 9500 ip from any to any out $cmd 9100 set 1 divert natd1 ip from any to any out $cmd 9200 set 1 allow ip from any to any out keep-state $cmd 9500 set 2 divert natd2 ip from any to any out $cmd 9600 set 2 allow ip from any to any out keep-state # deny and log all packets that fell through to see what they are $cmd 9999 deny log all from any to any ################ End of IPFW rules file ############################### What this effectively does is send packets destined for either of the $ext_gw's out over both the external lines. This is a terrible way of spamming these external lines with traffic that doesn't belong there, but then again it's only a single link between your ext_if and the ext_gw with nothing else on that link. It's also not holding much traffic as it's the limited internet link which (here in .za) is only 512k per line. (although they have just recently brought out a 1M link, available in certain areas) Anyway, the 100M link should handle the extra noise on the line. If someone has a nicer solution for me - I'm all ears. Last thing to do was to setup fail-over of some sort. Again, I thought myself some sh scripting in a day, so this isn't the prettiest, but it works. I added an entry to crontab to have this script run every 2 minutes. Basically it adds a specific (pingable) host to the route, and then pings it via the defined path (1st dsl line). Then changes the route and pings it via the 2nd path (2nd dsl line). #----------------------------------------- #!/bin/sh target="196.7.0.138" ext_gw1="192.168.8.1" ext_gw2="192.168.0.1" # Setup route to ping through route -q add -host $target $ext_gw1 # Test link one through ext_gw1 to see if any packets get returned ping1=$( ping -q -c 3 -f -s 8 -o -t 2 196.7.0.138 | grep "packet loss" | cut -c24-24 ) # Test link two through ext_gw2 to see if any packets get returned route -q delete $target route -q add -host $target $ext_gw2 ping2=$( ping -q -c 3 -f -s 8 -o -t 2 196.7.0.138 | grep "packet loss" | cut -c24-24 ) # Remove route route -q delete $target # Configure the ipfw sets as per network route availability if [ "$ping1" != "0" ]; then if [ "$ping2" = "1" ]; then ipfw set enable 1 2 12 else ipfw set enable 1 ipfw set disable 2 12 fi else if [ "$ping2" != "0" ]; then ipfw set disable 1 12 ipfw set enable 2 else # echo "enabling everything to wait for network recovery" ipfw set enable 1 2 12 fi fi #-------------------------------------- This could be expanded to some sort of crude bandwidth management system if you add some rules to the ipfw that specify probability of 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8 with each rule associated with a different ipfw set. Then you parse the ping replies (you would now need an average for the pings, not just a single ping) for the average time on each route and do some math to enable the correct ipfw set with the correct ipfw prob ratio. It's dirty, but it should (in theory) work. I haven't gotten this far - currently happy with what I have so far and time to earn some money again. Maybe later. Feel free to post any comments / queries. Feedback welcome. I hope this helps some people save some of the hours and hours I spent on trial and error. Regards Graham