From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 7 11:02:07 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9386216A42F for ; Mon, 7 Nov 2005 11:02:07 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08F1C43D45 for ; Mon, 7 Nov 2005 11:02:07 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jA7B26lp049865 for ; Mon, 7 Nov 2005 11:02:06 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jA7B26Ft049858 for freebsd-ipfw@freebsd.org; Mon, 7 Nov 2005 11:02:06 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 7 Nov 2005 11:02:06 GMT Message-Id: <200511071102.jA7B26Ft049858@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2005 11:02:07 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2003/12/11] kern/60154 ipfw [ipfw] ipfw core (crash) o [2004/03/03] kern/63724 ipfw [ipfw] IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/02/01] kern/76971 ipfw [ipfw] ipfw antispoof incorrectly blocks o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple 17 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 7 22:46:49 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 936DD16A422 for ; Mon, 7 Nov 2005 22:46:49 +0000 (GMT) (envelope-from sarxan@azerin.com) Received: from mail.azerin.com (mail.azerin.com [212.47.128.23]) by mx1.FreeBSD.org (Postfix) with SMTP id 3907C43D5E for ; Mon, 7 Nov 2005 22:46:25 +0000 (GMT) (envelope-from sarxan@azerin.com) Received: (qmail 71311 invoked from network); 7 Nov 2005 22:46:41 -0000 Received: from qmail by qscan (mail filter); 7 Nov 2005 22:46:41 +0000 Received: from unknown (HELO elxanzade.com) (212.47.128.109) by mail.azerin.com with SMTP; 7 Nov 2005 22:46:41 -0000 From: Sarxan Elxanzade Organization: AzerIn To: freebsd-ipfw@freebsd.org User-Agent: KMail/1.8.2 MIME-Version: 1.0 Date: Tue, 8 Nov 2005 02:46:37 +0400 Content-Type: Multipart/Mixed; boundary="Boundary-00=_Ol9bDDzIm0vEXQL" Message-Id: <200511080246.38057.sarxan@azerin.com> X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on ml350.azerin.com X-Spam-Level: X-Spam-Status: No, score=-2.8 required=3.5 tests=ALL_TRUSTED autolearn=failed version=3.0.4 Subject: Fwd: carp + ipfw problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2005 22:46:49 -0000 --Boundary-00=_Ol9bDDzIm0vEXQL Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Hello all, I'm trying to configure a firewall with carp + ipfw, but I encountered the strange problem. Packets are bypassing carp interface, instead ipfw log shows packet flow to/from physical interface, e.g.: FreeBSD host 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #6: Tue Sep 27 16:32:30 AZST 2005 root@host:/usr/obj/usr/src/sys/FIREWALL i386 # ifconfig fxp1 fxp1: flags=9943 mtu 1500 options=8 inet 192.168.28.1 netmask 0xffffff00 broadcast 192.168.28.255 media: Ethernet 100baseTX status: active # ifconfig carp1 carp1: flags=41 mtu 1500 inet 192.168.28.2 netmask 0xffffff00 carp: MASTER vhid 4 advbase 1 advskew 0 # ipfw show 00001 0 0 check-state 00002 0 0 allow ip from any to any via lo0 00010 0 0 allow log icmp from any to any 00020 4 344 allow log tcp from any to any 00030 0 0 allow log udp from any to any 65534 0 0 allow ip from any to any 65535 0 0 deny ip from any to any When I ping the IP address assigned to carp1 interface from host within the same network # ping 192.168.28.2 PING 192.168.28.2 (192.168.28.2): 56 data bytes 64 bytes from 192.168.28.2: icmp_seq=0 ttl=64 time=0.511 ms I received in secure.log following: Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3 192.168.28.2 in via fxp1 Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3 192.168.28.2 in via fxp1 Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2 192.168.28.3 out via fxp1 Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2 192.168.28.3 out via fxp1 The same situation with the tcp protocol. Kernel's conf is in the attach. May I missed something? -- Best regards, Elkhanzade Sarkhan ------------------------------------------------------- -- Elkhanzade Sarkhan Azerin ISP, U.Hajibeyov 36, Baku Systems Administrator Phone work : +994124982533 e-mail : sarxan@azerin.com --Boundary-00=_Ol9bDDzIm0vEXQL Content-Type: text/plain; charset="us-ascii"; name="kernel.conf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="kernel.conf" machine i386 cpu I586_CPU ident FIREWALL options SCHED_4BSD # 4BSD scheduler options INET # InterNETworking options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big directories options PSEUDOFS # Pseudo-filesystem framework options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!] options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options ADAPTIVE_GIANT # Giant mutex is adaptive. # AMD K6 options CPU_WT_ALLOC options NO_MEMORY_HOLE device apic # I/O APIC device isa device eisa device pci # ATA and ATAPI devices device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives device atapist # ATAPI tape drives options ATA_STATIC_ID # Static device numbering # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device psm # PS/2 mouse device vga # VGA video card driver device sc # Floating point support - do not disable. device npx # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device fxp # Intel EtherExpress PRO/100B (82557, 82558) # Pseudo devices. device loop # Network loopback device mem # Memory and kernel memory devices device io # I/O device device random # Entropy device device ether # Ethernet support device pty # Pseudo-ttys (telnet etc) #device carp #device pf #device pflog #device pfsync device bpf # Berkeley packet filter options IPFIREWALL options IPFIREWALL_FORWARD device carp --Boundary-00=_Ol9bDDzIm0vEXQL-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 8 10:28:45 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4709116A42D for ; Tue, 8 Nov 2005 10:28:45 +0000 (GMT) (envelope-from Tyrone@telecity.se) Received: from psmtp.com (s200aog2.obsmtp.com [207.126.144.86]) by mx1.FreeBSD.org (Postfix) with SMTP id 38B5043D46 for ; Tue, 8 Nov 2005 10:28:43 +0000 (GMT) (envelope-from Tyrone@telecity.se) Received: from source ([195.149.172.5]) by eu1sys200aob002.obsmtp.com ([207.126.147.11]) with SMTP; Tue, 08 Nov 2005 10:28:42 UTC MIME-Version: 1.0 Date: Tue, 8 Nov 2005 11:28:42 +0100 Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.5 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: shaping Thread-Index: AcXY2yX6yIfAsF24Tm+vWStpXMmcPwLc8AAg From: To: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: RE: shaping X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 10:28:45 -0000 Hi=20 =20 I'm having trouble creating a carp interface My freebsd vers is FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE #3: Mon Nov 7 12:56:32 CET 2005 tyrone@:/usr/src/sys/i386/compile/CLOWNFISH i386 =20 When I type=20 # ifconfig carp0 create I get the following error ifconfig: SIOCIFCREATE: Invalid argument =20 Is there anything I have to enable before? =20 Regards Tyrone DISCLAIMER This e-mail is intended only for the use of the addressees named above and may be confidential. If you are not an addressee you must not use any information contained in nor copy it nor inform any person other than TeleCity or the addressees of its existence or contents. If you have received this e-mail in error, please contact the TeleCity IT department on +44 (0) 161 232 3220 or by email at techsupport@telecity.com. Internet communications cannot be guaranteed 100% secure, you should therefore take this potential lack of security into consideration when emailing us as we do not accept legal responsibility for the security of the contents of this or other = emails. Whilst TeleCity take measures to prevent any virus contamination of our computer systems, recipients of emails should always ensure that they take their own precautions to avoid virus contamination. =0D From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 8 17:19:36 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 090EA16A41F; Tue, 8 Nov 2005 17:19:36 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA58143D46; Tue, 8 Nov 2005 17:19:35 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jA8HJZvq063766; Tue, 8 Nov 2005 17:19:35 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jA8HJZ6F063762; Tue, 8 Nov 2005 17:19:35 GMT (envelope-from linimon) Date: Tue, 8 Nov 2005 17:19:35 GMT From: Mark Linimon Message-Id: <200511081719.jA8HJZ6F063762@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/88659: [modules] ipfw and ip6fw do not work properly as modules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 17:19:36 -0000 Synopsis: [modules] ipfw and ip6fw do not work properly as modules Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Tue Nov 8 17:19:20 GMT 2005 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=88659 From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 8 17:21:01 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD00316A41F; Tue, 8 Nov 2005 17:21:01 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 69F6843D4C; Tue, 8 Nov 2005 17:21:01 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jA8HL1pV063953; Tue, 8 Nov 2005 17:21:01 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jA8HL1m5063949; Tue, 8 Nov 2005 17:21:01 GMT (envelope-from linimon) Date: Tue, 8 Nov 2005 17:21:01 GMT From: Mark Linimon Message-Id: <200511081721.jA8HL1m5063949@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/88664: [ipfw] ipfw stateful firewalling broken with IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 17:21:01 -0000 Synopsis: [ipfw] ipfw stateful firewalling broken with IPv6 Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Tue Nov 8 17:20:48 GMT 2005 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=88664 From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 8 18:50:21 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E85E16A41F for ; Tue, 8 Nov 2005 18:50:21 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 62B9843D72 for ; Tue, 8 Nov 2005 18:50:17 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jA8IoHWR074745 for ; Tue, 8 Nov 2005 18:50:17 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jA8IoHxV074743; Tue, 8 Nov 2005 18:50:17 GMT (envelope-from gnats) Date: Tue, 8 Nov 2005 18:50:17 GMT Message-Id: <200511081850.jA8IoHxV074743@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Hajimu UMEMOTO Cc: Subject: Re: kern/88659: ipfw and ip6fw do not work properly as modules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hajimu UMEMOTO List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Nov 2005 18:50:21 -0000 The following reply was made to PR kern/88659; it has been noted by GNATS. From: Hajimu UMEMOTO To: Jean-Yves Lefort Cc: FreeBSD-gnats-submit@FreeBSD.org, ume@FreeBSD.org Subject: Re: kern/88659: ipfw and ip6fw do not work properly as modules Date: Wed, 09 Nov 2005 03:42:46 +0900 Hi, >>>>> On Tue, 8 Nov 2005 13:20:39 +0100 (CET) >>>>> Jean-Yves Lefort said: >Synopsis: [modules] ipfw and ip6fw do not work properly as modules >Description: jylefort> Because in that case, they do not include the opt_* headers. >How-To-Repeat: jylefort> Remove IPFIREWALL from the kernel configuration and try to filter IPv6 jylefort> traffic with ipfw. Did you actually try ip6fw as a module? I'm not sure about ipfw, but ip6fw is written not to require opt_* headers when compiled as a module. Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 9 14:53:14 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3ACFC16A41F for ; Wed, 9 Nov 2005 14:53:14 +0000 (GMT) (envelope-from listas@itm.net.br) Received: from venom.fsonline.com.br (venom.fsonline.com.br [201.30.187.5]) by mx1.FreeBSD.org (Postfix) with SMTP id 4B89943D49 for ; Wed, 9 Nov 2005 14:52:56 +0000 (GMT) (envelope-from listas@itm.net.br) Received: (qmail 75870 invoked from network); 9 Nov 2005 11:47:00 -0300 Received: from unknown (HELO ironman) (200.222.223.29) by venom.fsonline.com.br with SMTP; 9 Nov 2005 11:47:00 -0300 Message-ID: <002b01c5e53d$38c99d30$f2faa8c0@ironman> From: "Cesar" To: Date: Wed, 9 Nov 2005 11:52:35 -0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-Antivirus: avast! (VPS 0545-1, 09/11/2005), Outbound message X-Antivirus-Status: Clean Subject: String Match X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Nov 2005 14:53:14 -0000 An interesting thing in iptables is that option to match strings, like this example: iptables -A FORWARD -p TCP -m string --string "BitTorrent protocol" -j REJECT --reject-with tcp-reset iptables -A FORWARD -p TCP -m string --string "GET /announce" -j REJECT --reject-with tcp-reset Did anyone wrote a similar patch to ipfw? or ... Is this something desirable to ipfw which the developers will put in the future? Thanks From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 9 19:17:15 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5EB716A41F for ; Wed, 9 Nov 2005 19:17:15 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FE4443D46 for ; Wed, 9 Nov 2005 19:17:15 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id jA9JHEJt010072; Wed, 9 Nov 2005 11:17:14 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id jA9JHEvf010071; Wed, 9 Nov 2005 11:17:14 -0800 Date: Wed, 9 Nov 2005 11:17:14 -0800 From: Brooks Davis To: Tyrone@telecity.se Message-ID: <20051109191714.GH12837@odin.ac.hmc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5vjQsMS/9MbKYGLq" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu Cc: freebsd-ipfw@freebsd.org Subject: Re: shaping X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Nov 2005 19:17:16 -0000 --5vjQsMS/9MbKYGLq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 08, 2005 at 11:28:42AM +0100, Tyrone@telecity.se wrote: > Hi=20 >=20 > =20 >=20 > I'm having trouble creating a carp interface >=20 > My freebsd vers is FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE #3: Mon Nov > 7 12:56:32 CET 2005 tyrone@:/usr/src/sys/i386/compile/CLOWNFISH > i386 >=20 > =20 >=20 > When I type=20 >=20 > # ifconfig carp0 create >=20 > I get the following error >=20 > ifconfig: SIOCIFCREATE: Invalid argument >=20 > =20 >=20 > Is there anything I have to enable before? Is CARP compiled in to your kernel? What does "ifconfig -C" say. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --5vjQsMS/9MbKYGLq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDcks5XY6L6fI4GtQRAt+kAJ9B0tR5itQRr/CMgyzCBQ9H8abXfACfW71p mkuOx/INWx6ZQSE/B4Mc6F8= =Y7rZ -----END PGP SIGNATURE----- --5vjQsMS/9MbKYGLq-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 10 12:09:36 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A298616A41F for ; Thu, 10 Nov 2005 12:09:36 +0000 (GMT) (envelope-from ppj@netfilter.com.br) Received: from hiperclubs.netfilter.com.br (hiperclubs.netfilter.com.br [201.45.167.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FDAC43D72 for ; Thu, 10 Nov 2005 12:09:32 +0000 (GMT) (envelope-from ppj@netfilter.com.br) Received: from localhost (localhost.netfilter.com.br [127.0.0.1]) by hiperclubs.netfilter.com.br (Postfix) with ESMTP id B677676F676 for ; Thu, 10 Nov 2005 10:11:56 -0200 (BRST) Received: from hiperclubs.netfilter.com.br ([127.0.0.1]) by localhost (hiperclubs.netfilter.com.br [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 55978-07 for ; Thu, 10 Nov 2005 10:11:53 -0200 (BRST) Received: by hiperclubs.netfilter.com.br (Postfix, from userid 1001) id 2A47776F678; Thu, 10 Nov 2005 10:11:53 -0200 (BRST) Received: from MICROPPJ (200-204-120-145.dsl.telesp.net.br [200.204.120.145]) by hiperclubs.netfilter.com.br (Postfix) with ESMTP id 7BAC376F675 for ; Thu, 10 Nov 2005 10:11:50 -0200 (BRST) From: "Pedro Paulo de Magalhaes Oliveira Junior" To: Date: Thu, 10 Nov 2005 10:09:22 -0200 Message-ID: <000001c5e5ef$97247320$2d00a8c0@MICROPPJ> MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcXl72hQtDsllADaQYOqLPLyXiBeYAAAABlw In-Reply-To: <20051110120050.3A6FB16A428@hub.freebsd.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Virus-Scanned: amavisd-new at netfilter.com.br X-Mailman-Approved-At: Thu, 10 Nov 2005 12:17:54 +0000 Subject: RE: String Match (Cesar) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Nov 2005 12:09:36 -0000 IMHO this is the main disadvantage of FreeBSD and IPFW. Sure Linux has a better support on string match for IPS. ---------------------------------------------------------------------- Message: 1 Date: Wed, 9 Nov 2005 11:52:35 -0300 From: "Cesar" Subject: String Match To: Message-ID: <002b01c5e53d$38c99d30$f2faa8c0@ironman> Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original An interesting thing in iptables is that option to match strings, like this example: iptables -A FORWARD -p TCP -m string --string "BitTorrent protocol" -j REJECT --reject-with tcp-reset iptables -A FORWARD -p TCP -m string --string "GET /announce" -j REJECT --reject-with tcp-reset Did anyone wrote a similar patch to ipfw? or ... Is this something desirable to ipfw which the developers will put in the future? Thanks ------------------------------ -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.12.8/163 - Release Date: 8/11/2005 From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 10 13:58:00 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAFAD16A41F for ; Thu, 10 Nov 2005 13:58:00 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 417EB43D45 for ; Thu, 10 Nov 2005 13:57:59 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (upcryt@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id jAADvwnE008435 for ; Thu, 10 Nov 2005 14:57:58 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id jAADvwWH008434; Thu, 10 Nov 2005 14:57:58 +0100 (CET) (envelope-from olli) Date: Thu, 10 Nov 2005 14:57:58 +0100 (CET) Message-Id: <200511101357.jAADvwWH008434@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <002b01c5e53d$38c99d30$f2faa8c0@ironman> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Re: String Match X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Nov 2005 13:58:01 -0000 Cesar wrote: > An interesting thing in iptables is that option to match strings, like this > example: > > iptables -A FORWARD -p TCP -m string --string "BitTorrent protocol" -j > REJECT --reject-with tcp-reset > iptables -A FORWARD -p TCP -m string --string "GET /announce" -j > REJECT --reject-with tcp-reset > > Did anyone wrote a similar patch to ipfw? or ... Is this something desirable > to ipfw which the developers will put in the future? I can't think of any real-world examples where string- matching would be useful and work reliably. The above examples do not work reliably, because the rules would also have rejected your email to this mailing list. ;-) If you want to filter on application level (e.g. certain HTTP GET commands like the one above), you should do it in the application (e.g. apache). That's not the job of a packet filter. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Unix gives you just enough rope to hang yourself -- and then a couple of more feet, just to be sure." -- Eric Allman From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 10 14:25:58 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04D7216A41F for ; Thu, 10 Nov 2005 14:25:58 +0000 (GMT) (envelope-from listas@itm.net.br) Received: from venom.fsonline.com.br (venom.fsonline.com.br [201.30.187.5]) by mx1.FreeBSD.org (Postfix) with SMTP id DC10343D53 for ; Thu, 10 Nov 2005 14:25:56 +0000 (GMT) (envelope-from listas@itm.net.br) Received: (qmail 41798 invoked from network); 10 Nov 2005 11:20:04 -0300 Received: from unknown (HELO ironman) (201.30.187.70) by venom.fsonline.com.br with SMTP; 10 Nov 2005 11:20:04 -0300 Message-ID: <000c01c5e602$9ed10a30$46bb1ec9@ironman> From: "Cesar" To: References: <200511101357.jAADvwWH008434@lurza.secnetix.de> Date: Thu, 10 Nov 2005 11:25:37 -0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Cc: Subject: Re: String Match X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Nov 2005 14:25:58 -0000 Sorry for my bad explanation ... I want to do with ipfw what the IPP2P (http://www.ipp2p.org) do, it use a modification in linux kernel/iptables some kind of "string match" to identify P2P traffic. Nowadays I use port based rules to limit P2P traffic, which is not a good solution since most of P2P programs are using random ports. ----- Original Message ----- From: "Oliver Fromme" To: Sent: Thursday, November 10, 2005 10:57 AM Subject: Re: String Match > I can't think of any real-world examples where string- > matching would be useful and work reliably. The above > examples do not work reliably, because the rules would > also have rejected your email to this mailing list. ;-) > > If you want to filter on application level (e.g. certain > HTTP GET commands like the one above), you should do it > in the application (e.g. apache). That's not the job of > a packet filter. > > Best regards > Oliver > > -- > Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing > Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd > Any opinions expressed in this message may be personal to the author > and may not necessarily reflect the opinions of secnetix in any way. > > "Unix gives you just enough rope to hang yourself -- > and then a couple of more feet, just to be sure." > -- Eric Allman > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 10 15:55:49 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6556016A41F for ; Thu, 10 Nov 2005 15:55:49 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE98C43D48 for ; Thu, 10 Nov 2005 15:55:48 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (clejqd@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id jAAFtkNn013739 for ; Thu, 10 Nov 2005 16:55:47 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id jAAFtkqw013738; Thu, 10 Nov 2005 16:55:46 +0100 (CET) (envelope-from olli) Date: Thu, 10 Nov 2005 16:55:46 +0100 (CET) Message-Id: <200511101555.jAAFtkqw013738@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <000c01c5e602$9ed10a30$46bb1ec9@ironman> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Re: String Match X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Nov 2005 15:55:49 -0000 Cesar wrote: > > Sorry for my bad explanation ... > > I want to do with ipfw what the IPP2P (http://www.ipp2p.org) do, it use a > modification in linux kernel/iptables some kind of "string match" to > identify P2P traffic. Which is basically a bad idea, as I have explained in my previous mail. > Nowadays I use port based rules to limit P2P traffic, which is not a good > solution since most of P2P programs are using random ports. May I ask why do you need to do that? Are you operating an internet router for untrusted users? Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "I invented Ctrl-Alt-Delete, but Bill Gates made it famous." -- David Bradley, original IBM PC design team From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 10 16:58:57 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9226E16A41F for ; Thu, 10 Nov 2005 16:58:57 +0000 (GMT) (envelope-from listas@itm.net.br) Received: from venom.fsonline.com.br (venom.fsonline.com.br [201.30.187.5]) by mx1.FreeBSD.org (Postfix) with SMTP id 9C97C43D58 for ; Thu, 10 Nov 2005 16:58:56 +0000 (GMT) (envelope-from listas@itm.net.br) Received: (qmail 75187 invoked from network); 10 Nov 2005 13:53:04 -0300 Received: from unknown (HELO ironman) (200.223.79.12) by venom.fsonline.com.br with SMTP; 10 Nov 2005 13:53:04 -0300 Message-ID: <002301c5e617$fe751750$46bb1ec9@ironman> From: "Cesar" To: References: <200511101555.jAAFtkqw013738@lurza.secnetix.de> Date: Thu, 10 Nov 2005 13:58:37 -0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Cc: Subject: Re: String Match X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Nov 2005 16:58:57 -0000 Its not a bad ideia since I see a lot of people searching for P2P traffic control/shaper. I'm operating an ISP with 3000 broadband users ... And yes. I can call they untrusted, but this is not the point. With ipfw I can do per IP traffic shaping, but what about if I can limit a IP in 256kbps and say that this IP will be able to use only 128Kbps for P2P traffic. As I said, I do this nowadays creating rules based on P2P ports, as well as m0n0wall do. However it is not efficient as iptables is. I tried a linux based system ( Mikrotik ) to limit P2P and it matched almost 100% of P2P traffic ... And as I know, ipfw can't do this. And maybe this kind of string match can become useful to other things. Cesar ----- Original Message ----- From: "Oliver Fromme" To: Sent: Thursday, November 10, 2005 12:55 PM Subject: Re: String Match > Cesar wrote: > > > > Sorry for my bad explanation ... > > > > I want to do with ipfw what the IPP2P (http://www.ipp2p.org) do, it use > > a > > modification in linux kernel/iptables some kind of "string match" to > > identify P2P traffic. > > Which is basically a bad idea, as I have explained in my > previous mail. > > > Nowadays I use port based rules to limit P2P traffic, which is not a > > good > > solution since most of P2P programs are using random ports. > > May I ask why do you need to do that? Are you operating > an internet router for untrusted users? > > Best regards > Oliver > > -- > Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing > Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd > Any opinions expressed in this message may be personal to the author > and may not necessarily reflect the opinions of secnetix in any way. > > "I invented Ctrl-Alt-Delete, but Bill Gates made it famous." > -- David Bradley, original IBM PC design team > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 10 19:23:51 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9CC3016A41F for ; Thu, 10 Nov 2005 19:23:51 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DCFE43D45 for ; Thu, 10 Nov 2005 19:23:51 +0000 (GMT) (envelope-from max@love2party.net) Received: from [84.163.203.232] (helo=donor.laier.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1EaI1V1E75-0000l7; Thu, 10 Nov 2005 20:23:50 +0100 From: Max Laier To: freebsd-ipfw@freebsd.org Date: Thu, 10 Nov 2005 20:23:31 +0100 User-Agent: KMail/1.8.2 References: <002b01c5e53d$38c99d30$f2faa8c0@ironman> In-Reply-To: <002b01c5e53d$38c99d30$f2faa8c0@ironman> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1272263.nWsUf4c6QJ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200511102023.43495.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Cesar Subject: Re: String Match X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Nov 2005 19:23:51 -0000 --nextPart1272263.nWsUf4c6QJ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 09 November 2005 15:52, Cesar wrote: > An interesting thing in iptables is that option to match strings, like th= is > example: > > iptables -A FORWARD -p TCP -m string --string "BitTorrent protocol" -j > REJECT --reject-with tcp-reset > iptables -A FORWARD -p TCP -m string --string "GET /announce" -j > REJECT --reject-with tcp-reset > > Did anyone wrote a similar patch to ipfw? or ... Is this something > desirable to ipfw which the developers will put in the future? As Oliver pointed out, this is not a good idea. If you still want to do it= ,=20 why don't you hook a filter into a divert socket? It's certainly *not* a=20 good idea to bloat IPFW (or any other general purpose packet filter) with a= =20 generally useless feature like this - if you think you need something speci= al=20 you can either do it in the userland (via divert or bpf) or you could just = do=20 an idependent pfil(9) consumer module, finally there is netgraph. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1272263.nWsUf4c6QJ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDc54/XyyEoT62BG0RArb2AJ9u7DS8qt0X6/ANn+0BKqpPUOm3jgCZAT/k sEZrbrFA/eEejnegQrpZ+fU= =Rqw4 -----END PGP SIGNATURE----- --nextPart1272263.nWsUf4c6QJ-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 10 19:31:56 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 294DE16A41F for ; Thu, 10 Nov 2005 19:31:56 +0000 (GMT) (envelope-from darcy@wavefire.com) Received: from mail2.dbitech.ca (radius.wavefire.com [64.141.13.252]) by mx1.FreeBSD.org (Postfix) with SMTP id B136C43D45 for ; Thu, 10 Nov 2005 19:31:55 +0000 (GMT) (envelope-from darcy@wavefire.com) Received: (qmail 13966 invoked from network); 10 Nov 2005 21:55:46 -0000 Received: from dbitech.internal.wavefire.ca (64.141.15.12) by radius.wavefire.com with SMTP; 10 Nov 2005 21:55:46 -0000 From: Darcy Buskermolen Organization: Wavefire Technologies Corp To: freebsd-ipfw@freebsd.org Date: Thu, 10 Nov 2005 11:32:49 -0800 User-Agent: KMail/1.8.3 References: <002b01c5e53d$38c99d30$f2faa8c0@ironman> <200511102023.43495.max@love2party.net> In-Reply-To: <200511102023.43495.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200511101132.49588.darcy@wavefire.com> Cc: Max Laier , Cesar Subject: Re: String Match X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Nov 2005 19:31:56 -0000 On Thursday 10 November 2005 11:23, Max Laier wrote: > On Wednesday 09 November 2005 15:52, Cesar wrote: > > An interesting thing in iptables is that option to match strings, like > > this example: > > > > iptables -A FORWARD -p TCP -m string --string "BitTorrent protocol" -j > > REJECT --reject-with tcp-reset > > iptables -A FORWARD -p TCP -m string --string "GET /announce" -j > > REJECT --reject-with tcp-reset > > > > Did anyone wrote a similar patch to ipfw? or ... Is this something > > desirable to ipfw which the developers will put in the future? > > As Oliver pointed out, this is not a good idea. If you still want to do > it, why don't you hook a filter into a divert socket? It's certainly *not* > a good idea to bloat IPFW (or any other general purpose packet filter) with > a generally useless feature like this - if you think you need something > special you can either do it in the userland (via divert or bpf) or you > could just do an idependent pfil(9) consumer module, finally there is > netgraph. snort_inline (ports/security/snort_inline) may also be useful for what you want. -- Darcy Buskermolen Wavefire Technologies Corp. http://www.wavefire.com ph: 250.717.0200 fx: 250.763.1759 From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 11 12:10:50 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C301316A41F for ; Fri, 11 Nov 2005 12:10:50 +0000 (GMT) (envelope-from ppj@netfilter.com.br) Received: from hiperclubs.netfilter.com.br (hiperclubs.netfilter.com.br [201.45.167.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D56A43D45 for ; Fri, 11 Nov 2005 12:10:49 +0000 (GMT) (envelope-from ppj@netfilter.com.br) Received: from localhost (localhost.netfilter.com.br [127.0.0.1]) by hiperclubs.netfilter.com.br (Postfix) with ESMTP id 93A5B76F665 for ; Fri, 11 Nov 2005 10:13:12 -0200 (BRST) Received: from hiperclubs.netfilter.com.br ([127.0.0.1]) by localhost (hiperclubs.netfilter.com.br [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10181-01 for ; Fri, 11 Nov 2005 10:13:08 -0200 (BRST) Received: by hiperclubs.netfilter.com.br (Postfix, from userid 1001) id E784C76F65F; Fri, 11 Nov 2005 10:13:08 -0200 (BRST) Received: from MICROPPJ (200-204-120-145.dsl.telesp.net.br [200.204.120.145]) by hiperclubs.netfilter.com.br (Postfix) with ESMTP id 29D9C76F5B9 for ; Fri, 11 Nov 2005 10:13:07 -0200 (BRST) From: "Pedro Paulo de Magalhaes Oliveira Junior" To: Date: Fri, 11 Nov 2005 10:10:37 -0200 Message-ID: <003101c5e6b8$eea1a8b0$2d00a8c0@MICROPPJ> MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcXmuCDi8KkSQfC8R9+OwyZKjQ+msgAAHVOw In-Reply-To: <20051111120037.773AB16A424@hub.freebsd.org> X-Virus-Scanned: amavisd-new at netfilter.com.br X-Mailman-Approved-At: Fri, 11 Nov 2005 12:31:22 +0000 Subject: RES: String Match - Oliver Opinion X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Nov 2005 12:10:50 -0000 I think Oliver is wrong. The behavior he describe is not an excuse to do not have this feature to the guys who use it in Linux. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.12.8/166 - Release Date: 10/11/2005 From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 11 17:14:31 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50DA716A41F for ; Fri, 11 Nov 2005 17:14:31 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id A568E43D45 for ; Fri, 11 Nov 2005 17:14:30 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (dybkve@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id jABHERoH071824 for ; Fri, 11 Nov 2005 18:14:28 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id jABHERRs071823; Fri, 11 Nov 2005 18:14:27 +0100 (CET) (envelope-from olli) Date: Fri, 11 Nov 2005 18:14:27 +0100 (CET) Message-Id: <200511111714.jABHERRs071823@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <002301c5e617$fe751750$46bb1ec9@ironman> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Re: String Match X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Nov 2005 17:14:31 -0000 Cesar wrote: > Its not a bad ideia since I see a lot of people searching for P2P traffic > control/shaper. > > I'm operating an ISP with 3000 broadband users ... And yes. I can call they > untrusted, but this is not the point. In that case I'm thankful that I'm not your customer. My DSL provider does not restrict or limit traffic arbitrarily. If he did, I would cancel the contract and go to a different provider. (Note that I'm not using any P2P applications myself.) > I tried a linux based system ( Mikrotik ) to limit P2P and it matched almost > 100% of P2P traffic ... And as I know, ipfw can't do this. It is not IPFW's job. This does not belong in the packet filter in the kernel. Linux has a lot of crazy things, such as in-kernel HTTP server, but that doesn't mean that FreeBSD has to follow it. As Max pointed out, you can achieve the same in various ways (divert, bpf, pfil, netgraph), which are much better suited for that job. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. Passwords are like underwear. You don't share them, you don't hang them on your monitor or under your keyboard, you don't email them, or put them on a web site, and you must change them very often.