From owner-freebsd-ipfw@FreeBSD.ORG Sun May 14 01:50:22 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9379616A415; Sun, 14 May 2006 01:50:22 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 291A343D62; Sun, 14 May 2006 01:49:52 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from anb (anb.matik.com.br [200.152.83.34]) by msrv.matik.com.br (8.13.6/8.13.1) with ESMTP id k4E1ngQB051505; Sat, 13 May 2006 22:49:42 -0300 (BRT) (envelope-from asstec@matik.com.br) From: AT Matik To: freebsd-ipfw@freebsd.org Date: Sat, 13 May 2006 22:49:38 -0300 User-Agent: KMail/1.9.1 References: <4465A8F8.2020601@elischer.org> In-Reply-To: Organization: Infomatik MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200605132249.39497.asstec@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.88, clamav-milter version 0.87 on msrv.matik.com.br X-Virus-Status: Clean Cc: freebsd-net@freebsd.org, Vadim Goncharov , Julian Elischer Subject: Re: [patch] ipfw packet tagging X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 May 2006 01:50:26 -0000 On Saturday 13 May 2006 07:08, Vadim Goncharov wrote: > > > > would be cool however. > > May be, but I can't imagine a real situation where it can be useful, > as tables already contain IP adresses. Can you give a real-life > example where it helps ? cool = good may be = wonderful can't imagine = even worse means I need to read the intire thread = bad not cool J. A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Sun May 14 04:34:27 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 849B816A401 for ; Sun, 14 May 2006 04:34:26 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3D9C43D46 for ; Sun, 14 May 2006 04:34:25 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.187.17] (helo=vampire.homelinux.org) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1Ff8JE47JY-00072Z; Sun, 14 May 2006 06:34:25 +0200 Received: (qmail 54542 invoked from network); 14 May 2006 04:34:50 -0000 Received: from localhost (HELO mail.abi01.homeunix.org) (192.168.4.64) by localhost with SMTP; 14 May 2006 04:34:50 -0000 Received: from 192.168.4.1 (SquirrelMail authenticated user mlaier) by mail.abi01.homeunix.org with HTTP; Sun, 14 May 2006 06:34:24 +0200 (CEST) Message-ID: <62901.192.168.4.1.1147581264.squirrel@mail.abi01.homeunix.org> In-Reply-To: <200605131548.k4DFmpAB092625@freefall.freebsd.org> References: <200605131548.k4DFmpAB092625@freefall.freebsd.org> Date: Sun, 14 May 2006 06:34:24 +0200 (CEST) From: "Max Laier" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.6 MIME-Version: 1.0 Content-Type: multipart/mixed;boundary="----=_20060514063424_91069" X-Priority: 3 (Normal) Importance: Normal X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: kern/88664: [ipfw] ipfw stateful firewalling broken with IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 May 2006 04:34:27 -0000 ------=_20060514063424_91069 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Everybody with IPv6 please take a look at the patches in the PR and report back whether or not they fix things. > http://www.freebsd.org/cgi/query-pr.cgi?pr=88664 -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News ------=_20060514063424_91069 Content-Type: text/x-diff; name="ipfw_hash.diff" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="ipfw_hash.diff" Index: ip_fw2.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.130 diff -u -r1.130 ip_fw2.c --- ip_fw2.c 12 May 2006 20:39:23 -0000 1.130 +++ ip_fw2.c 14 May 2006 04:21:01 -0000 @@ -641,11 +641,11 @@ hash_packet6(struct ipfw_flow_id *id) { u_int32_t i; - i = (id->dst_ip6.__u6_addr.__u6_addr32[0]) ^ - (id->dst_ip6.__u6_addr.__u6_addr32[1]) ^ - (id->dst_ip6.__u6_addr.__u6_addr32[2]) ^ + i = (id->dst_ip6.__u6_addr.__u6_addr32[2]) ^ (id->dst_ip6.__u6_addr.__u6_addr32[3]) ^ - (id->dst_port) ^ (id->src_port) ^ (id->flow_id6); + (id->src_ip6.__u6_addr.__u6_addr32[2]) ^ + (id->src_ip6.__u6_addr.__u6_addr32[3]) ^ + (id->dst_port) ^ (id->src_port); return i; } ------=_20060514063424_91069-- From owner-freebsd-ipfw@FreeBSD.ORG Sun May 14 06:59:19 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0D1F16A406 for ; Sun, 14 May 2006 06:59:19 +0000 (UTC) (envelope-from regisr@pobox.com) Received: from proof.pobox.com (proof.pobox.com [207.106.133.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id E516943D5E for ; Sun, 14 May 2006 06:59:17 +0000 (GMT) (envelope-from regisr@pobox.com) Received: from proof (localhost [127.0.0.1]) by proof.pobox.com (Postfix) with ESMTP id 6B5CB24E15 for ; Sun, 14 May 2006 02:59:16 -0400 (EDT) Received: from crocoite.regix.info (regisr.net1.nerim.net [62.212.109.60]) by proof.sasl.smtp.pobox.com (Postfix) with ESMTP id DD0FA47BFC for ; Sun, 14 May 2006 02:59:15 -0400 (EDT) Date: Sun, 14 May 2006 08:59:12 +0200 From: regisr To: freebsd-ipfw@freebsd.org Message-Id: <20060514085912.3e92adb3.regisr@pobox.com> In-Reply-To: <62901.192.168.4.1.1147581264.squirrel@mail.abi01.homeunix.org> References: <200605131548.k4DFmpAB092625@freefall.freebsd.org> <62901.192.168.4.1.1147581264.squirrel@mail.abi01.homeunix.org> X-Mailer: Sylpheed version 2.2.4 (GTK+ 2.8.17; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: kern/88664: [ipfw] ipfw stateful firewalling broken with IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 May 2006 06:59:19 -0000 Hi, On Sun, 14 May 2006 06:34:24 +0200 (CEST) "Max Laier" a =E9crit: > Everybody with IPv6 please take a look at the patches in the PR and report > back whether or not they fix things. I tested it for ftp, it is OK. Thanks --=20 =20 From owner-freebsd-ipfw@FreeBSD.ORG Sun May 14 22:06:13 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF8D716A400; Sun, 14 May 2006 22:06:13 +0000 (UTC) (envelope-from flag@newluxor.wired.org) Received: from mail.oltrelinux.com (krisma.oltrelinux.com [194.242.226.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6ED2443D46; Sun, 14 May 2006 22:06:13 +0000 (GMT) (envelope-from flag@newluxor.wired.org) Received: from newluxor.wired.org (ip-89-202.sn2.eutelia.it [83.211.89.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.oltrelinux.com (Postfix) with ESMTP id 5674A11B1C4; Mon, 15 May 2006 00:06:12 +0200 (CEST) Received: from newluxor.wired.org (localhost [127.0.0.1]) by newluxor.wired.org (8.13.6/8.13.6) with ESMTP id k4EM5o0k000871; Mon, 15 May 2006 00:05:50 +0200 (CEST) (envelope-from flag@newluxor.wired.org) Received: (from flag@localhost) by newluxor.wired.org (8.13.6/8.13.6/Submit) id k4EM5nKo000870; Mon, 15 May 2006 00:05:49 +0200 (CEST) (envelope-from flag) Date: Mon, 15 May 2006 00:05:49 +0200 From: Paolo Pisati To: FreeBSD_Net Message-ID: <20060514220549.GA721@tin.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at krisma.oltrelinux.com Cc: FreeBSD_Ipfw Subject: [6.x patchset] Ipfw nat and libalias modules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 May 2006 22:06:14 -0000 Released a new revision of my libalias+ipfw work as a patchset for 6.x, get it here: http://mercurio.srv.dsi.unimi.it/~pisati/libalias/libalias-6.x.tgz fixed the checksum corruption occurring to redirected/generated traffic to/by a local interface on the nat box. For more info: http://wikitest.freebsd.org/moin.cgi/PaoloPisati -- Paolo "le influenze esterne sono troppe, il mondo reale non e' mica quello fatato dei komunisti :-p" - Anonymous Lumbard From owner-freebsd-ipfw@FreeBSD.ORG Mon May 15 10:19:26 2006 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7EA3516A40D for ; Mon, 15 May 2006 10:19:26 +0000 (UTC) (envelope-from ianf@hetzner.co.za) Received: from mail1a.your-server.co.za (mail1a.your-server.co.za [196.7.18.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id A024543D45 for ; Mon, 15 May 2006 10:19:25 +0000 (GMT) (envelope-from ianf@hetzner.co.za) Received: from lfw.hetzner.co.za ([196.7.18.226] helo=hetzner.co.za) by mail1a.your-server.co.za with esmtps (TLSv1:AES256-SHA:256) (Exim 4.54) id 1FfaAb-0000iU-UF for freebsd-ipfw@FreeBSD.org; Mon, 15 May 2006 12:19:23 +0200 Received: from localhost ([127.0.0.1]) by hetzner.co.za with esmtp (Exim 4.51 (FreeBSD)) id 1FfaAb-000B6F-UK for freebsd-ipfw@FreeBSD.org; Mon, 15 May 2006 12:19:21 +0200 X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.2 X-Exmh-Isig-CompType: comp X-Exmh-Isig-Folder: lists/FreeBSD-ipfw To: freebsd-ipfw@FreeBSD.org From: Ian FREISLICH X-Attribution: BOFH Mime-Version: 1.0 Content-Type: multipart/mixed ; boundary="==_Exmh_1147688197_443700" Date: Mon, 15 May 2006 12:19:21 +0200 Sender: ianf@hetzner.co.za Message-Id: X-Virus-Scanned: Clear (ClamAV 0.88.1/1462/Sun May 14 20:24:29 2006) Cc: Subject: ipfw state interface context. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 10:19:26 -0000 This is a multipart MIME message. --==_Exmh_1147688197_443700 Content-Type: text/plain Hi We're using ipfw as a shared customer firewall with lots of vlan interfaces for customers, and where customers are able to modify their rules, we're unable to do any stateful firewalling. Maybe it's just a design issue with the way it's been setup: 00020 deny log ip from any to any not antispoof 00040 skipto 60000 ip from any to me 00050 skipto 60000 ip from me to any 00301 skipto 1100 ip from any to any in recv vlan1 00301 skipto 1100 ip from any to any out xmit vlan1 ... 00564 skipto 27400 ip from any to any in recv vlan264 00564 skipto 27400 ip from any to any out xmit vlan264 01000 allow ip from any to not me #vlan1 01100 allow tcp from any to any dst-port 22 setup out xmit vlan1 01199 allow udp from any to any dst-port 53 in recv vlan1 keep-state 01199 allow icmp from any to any in recv vlan1 icmptypes 8 01199 allow icmp from any to any out xmit vlan1 icmptypes 0 01199 check-state 01199 allow tcp from any to any established out xmit vlan1 01199 allow tcp from any to any in recv vlan1 01199 deny log ip from any to any ... #vlan264 27400 allow tcp from any to any dst-port 22 setup out xmit vlan264 27499 allow udp from any to any dst-port 53 in recv vlan264 keep-state 27499 allow icmp from any to any in recv vlan264 icmptypes 8 27499 allow icmp from any to any out xmit vlan264 icmptypes 0 27499 check-state 27499 allow tcp from any to any established out xmit vlan264 27499 allow tcp from any to any in recv vlan264 27499 deny log ip from any to any ... 60000 allow icmp from 196.40.106.243 to me 60010 allow ip from any to me icmptypes 8 not via re1 60020 allow icmp from 196.7.147.237,196.22.132.223 to me icmptypes 8 via re1 60030 deny log ip from any to me out via re1 60040 allow tcp from me to any 60050 allow udp from me to any keep-state 60060 allow udp from any to me frag 60070 allow icmp from me to any keep-state 60080 allow ospf from any to any via re1 60090 allow tcp from any to me dst-port 22,3000 setup 60100 allow ip from any to me established 60110 check-state 65533 deny tcp from any to me dst-port 137,138,139,445 65534 deny log ip from any to any 65535 deny ip from any to any The problem is this: say a udp packet enters enters vlan264 destined for a host on vlan1 port 53. This packet relults in a dynamic rule(contrived in this example): 27499 1 141 (5s) STATE udp 192.168.0.2 2191 <-> 192.168.1.9 53 Now, even though vlan1 doesn't have a rule allowing these packets in its rule section, the keep-state or check-state rule allows allows the packets through because of the state rule added by vlan264. I've patched the ipfw to store the interface details with the dynamic rule so the above rule would be printed out: 27499 1 141 (5s) STATE (vlan264) udp 192.168.0.2 2191 <-> 192.168.1.9 53 The check-state rule (01199) will ignore this dynamic rule because at that point the packet is leaving vlan1 and this dynamic rule was created by a packet entering vlan264. Without this patch it is impossible to do stateful filtering for multiple interfaces without introducing some security issues. I've checked for regressions with stateful filtering and connection limiting and I've not uncovered any yet. Thoughts? Ian -- Ian Freislich --==_Exmh_1147688197_443700 Content-Type: text/plain ; name="ipfw_sbin.patch" Content-Description: ipfw_sbin.patch Content-Disposition: attachment; filename="ipfw_sbin.patch" Index: ipfw2.c =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.87 diff -u -d -r1.87 ipfw2.c --- ipfw2.c 31 Mar 2006 12:54:17 -0000 1.87 +++ ipfw2.c 8 May 2006 13:26:03 -0000 @@ -1950,7 +1950,7 @@ printf(" LIMIT"); break; case O_KEEP_STATE: /* bidir, no mask */ - printf(" STATE"); + printf(" STATE (%s)", d->if_name); break; } --==_Exmh_1147688197_443700 Content-Type: text/plain ; name="ipfw_module.patch" Content-Description: ipfw_module.patch Content-Disposition: attachment; filename="ipfw_module.patch" Index: ip_fw.h =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.h,v retrieving revision 1.104 diff -u -d -r1.104 ip_fw.h --- ip_fw.h 14 Feb 2006 06:36:39 -0000 1.104 +++ ip_fw.h 8 May 2006 13:24:16 -0000 @@ -422,6 +422,8 @@ /* to generate keepalives) */ u_int16_t dyn_type; /* rule type */ u_int16_t count; /* refcount */ + u_short if_index; + char if_name[IFNAMSIZ]; }; /* Index: ip_fw2.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.127 diff -u -d -r1.127 ip_fw2.c --- ip_fw2.c 3 Mar 2006 12:10:59 -0000 1.127 +++ ip_fw2.c 9 May 2006 07:08:49 -0000 @@ -1120,7 +1120,7 @@ */ static ipfw_dyn_rule * lookup_dyn_rule_locked(struct ipfw_flow_id *pkt, int *match_direction, - struct tcphdr *tcp) + struct tcphdr *tcp, struct ifnet *ifp) { /* * stateful ipfw extensions. @@ -1139,7 +1139,9 @@ goto done; /* not found */ i = hash_packet( pkt ); for (prev=NULL, q = ipfw_dyn_v[i] ; q != NULL ; ) { - if (q->dyn_type == O_LIMIT_PARENT && q->count) + if ((q->dyn_type == O_LIMIT_PARENT && q->count) || + (q->dyn_type == O_KEEP_STATE && + q->if_index != ifp->if_index)) goto next; if (TIME_LEQ( q->expire, time_uptime)) { /* expire entry */ UNLINK_DYN_RULE(prev, ipfw_dyn_v[i], q); @@ -1263,12 +1265,12 @@ static ipfw_dyn_rule * lookup_dyn_rule(struct ipfw_flow_id *pkt, int *match_direction, - struct tcphdr *tcp) + struct tcphdr *tcp, struct ifnet *ifp) { ipfw_dyn_rule *q; IPFW_DYN_LOCK(); - q = lookup_dyn_rule_locked(pkt, match_direction, tcp); + q = lookup_dyn_rule_locked(pkt, match_direction, tcp, ifp); if (q == NULL) IPFW_DYN_UNLOCK(); /* NB: return table locked when q is not NULL */ @@ -1315,7 +1317,8 @@ * - "parent" rules for the above (O_LIMIT_PARENT). */ static ipfw_dyn_rule * -add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule) +add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule, + struct ifnet *ifp) { ipfw_dyn_rule *r; int i; @@ -1352,6 +1355,11 @@ r->dyn_type = dyn_type; r->pcnt = r->bcnt = 0; r->count = 0; + if (dyn_type == O_KEEP_STATE) { + r->if_index = ifp->if_index; + strncpy(r->if_name, ifp->if_xname, IFNAMSIZ); + r->if_name[IFNAMSIZ] = '\0'; + } r->bucket = i; r->next = ipfw_dyn_v[i]; @@ -1402,7 +1410,7 @@ return q; } } - return add_dyn_rule(pkt, O_LIMIT_PARENT, rule); + return add_dyn_rule(pkt, O_LIMIT_PARENT, rule, NULL); } /** @@ -1413,7 +1421,7 @@ */ static int install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, - struct ip_fw_args *args) + struct ip_fw_args *args, struct ifnet *ifp) { static int last_log; @@ -1426,7 +1434,7 @@ IPFW_DYN_LOCK(); - q = lookup_dyn_rule_locked(&args->f_id, NULL, NULL); + q = lookup_dyn_rule_locked(&args->f_id, NULL, NULL, ifp); if (q != NULL) { /* should never occur */ if (last_log != time_uptime) { @@ -1454,7 +1462,7 @@ switch (cmd->o.opcode) { case O_KEEP_STATE: /* bidir rule */ - add_dyn_rule(&args->f_id, O_KEEP_STATE, rule); + add_dyn_rule(&args->f_id, O_KEEP_STATE, rule, ifp); break; case O_LIMIT: /* limit number of sessions */ @@ -1506,7 +1514,7 @@ return 1; } } - add_dyn_rule(&args->f_id, O_LIMIT, (struct ip_fw *)parent); + add_dyn_rule(&args->f_id, O_LIMIT, (struct ip_fw *)parent, NULL); } break; default: @@ -1514,7 +1522,7 @@ IPFW_DYN_UNLOCK(); return 1; } - lookup_dyn_rule_locked(&args->f_id, NULL, NULL); /* XXX just set lifetime */ + lookup_dyn_rule_locked(&args->f_id, NULL, NULL, ifp); /* XXX just set lifetime */ IPFW_DYN_UNLOCK(); return 0; } @@ -2929,7 +2937,8 @@ case O_LIMIT: case O_KEEP_STATE: if (install_state(f, - (ipfw_insn_limit *)cmd, args)) { + (ipfw_insn_limit *)cmd, args, oif ? oif : + m->m_pkthdr.rcvif)) { retval = IP_FW_DENY; goto done; /* error/limit violation */ } @@ -2950,7 +2959,8 @@ if (dyn_dir == MATCH_UNKNOWN && (q = lookup_dyn_rule(&args->f_id, &dyn_dir, proto == IPPROTO_TCP ? - TCP(ulp) : NULL)) + TCP(ulp) : NULL, oif ? oif : + m->m_pkthdr.rcvif)) != NULL) { /* * Found dynamic entry, update stats --==_Exmh_1147688197_443700-- From owner-freebsd-ipfw@FreeBSD.ORG Mon May 15 11:02:48 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2405116A407 for ; Mon, 15 May 2006 11:02:48 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9C5443D55 for ; Mon, 15 May 2006 11:02:47 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k4FB2lTN075214 for ; Mon, 15 May 2006 11:02:47 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k4FB2kM1075208 for freebsd-ipfw@freebsd.org; Mon, 15 May 2006 11:02:46 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 15 May 2006 11:02:46 GMT Message-Id: <200605151102.k4FB2kM1075208@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 11:02:48 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC o [2005/11/08] kern/88659 ipfw [modules] ipfw and ip6fw do not work prop o [2006/02/13] kern/93300 ipfw ipfw pipe lost packets o [2006/03/29] kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/v 9 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple o [2006/01/16] kern/91847 ipfw [ipfw] ipfw with vlanX as the device o [2006/02/16] kern/93422 ipfw ipfw divert rule no longer works in 6.0 ( o [2006/03/31] bin/95146 ipfw [ipfw][patch]ipfw -p option handler is bo o [2006/05/13] bin/97194 ipfw [patch] [ipfw] ipfw does not correctly li 20 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue May 16 21:56:54 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E198816A7F0 for ; Tue, 16 May 2006 21:56:54 +0000 (UTC) (envelope-from pfsbsd@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C80A43D64 for ; Tue, 16 May 2006 21:56:47 +0000 (GMT) (envelope-from pfsbsd@gmail.com) Received: by ug-out-1314.google.com with SMTP id m3so79886uge for ; Tue, 16 May 2006 14:56:47 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=rR01SsnAq80oXqr/pdYv9kFDFDDXIfrkfDa/DxV9VAna199iRokUYG4XWgZmsJcCYdVP9ZmRFgQvkK3boqc9EGGFbTJOSFYzxCgLq6SekOTlZELG2+trTZ9EQOBaadRZ3gOkYlPpGoacOv2o71XEsmg3mR5YyECQWv6F67LBICk= Received: by 10.67.87.4 with SMTP id p4mr58607ugl; Tue, 16 May 2006 14:56:47 -0700 (PDT) Received: by 10.66.234.12 with HTTP; Tue, 16 May 2006 14:56:46 -0700 (PDT) Message-ID: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> Date: Tue, 16 May 2006 17:56:46 -0400 From: "PFS IT" To: freebsd-questions@freebsd.org, freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Cc: Subject: IPFW - Two External Interfaces X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 21:57:00 -0000 I am attempting to use IPFW (and either IPNAT or natd) to do the following: I have two connections to the outside world coming in to my firewall. em0 has a static ip and is going to a bridged DSL connection, then bge1 has a static ip and is going to a a few bonded DS1s. bge0 goes to my internal network. I am attempting to have NAT on both external interfaces, and have most outbound traffic move across bge1, while traffic from/to a particular internal system (We'll call it internal_system for purposes of this message) to/from a particular remote system (This we'll call remote_system) port 80 moves across the DSL line on em0. Here is an attempt at a pretty ascii picture ISP 1 [192.168.2.254] | | [bge1:192.168.2.1] FIREWALL[bge0:10.0.0.1]-------[10.0.0.2]internal_system [em0:192.168.1.1] | | [192.168.1.254] ISP 2 Here are the rules I've tried using in congunction with natd: #Send incoming traffic to natd 00400 divert 8869 ip from any to any in via bge1 00450 divert 8868 ip from any to any in via em0 00500 check-state #Check for internal_system port 80 traffic 0600 skipto 900 from $internal_system to $remote_system 80 #Send Most Traffic out via bge1 00700 divert 8869 ip from $local_net to any in 00750 divert 8869 ip from $local_net to any out #Send "special" traffic out via em0 00900 divert 8868 ip from $internal_system to $remote_system 80 in 00950 divert 8868 ip from $remote_system to $remote_system 80 out #policy route to get traffic to the correct ISP 02000 fwd $isp2_gw ip from $isp2_ip to any 02500 fwd $isp1_gw ip from $isp1_ip to any Two instances of natd are running, one on port 8868 with an alias address of $isp1_ip, the other is on port 8869 with an alias address of $isp2_ip With the above ipfw rules in place, a $ping -S $isp2_ip google.com Should result in a ping across em0 to google, however it acts as though it cannot even reach the $isp2_gw. I have been able to get everything to work exactly as I want it to using pf on FreeBSD, but I've been told that ipfw is preferred within the organization. Any suggestions would be greatly appreciated. Jared Baldridge Systems Administrator PFS From owner-freebsd-ipfw@FreeBSD.ORG Tue May 16 23:24:36 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C796C16A5BE for ; Tue, 16 May 2006 23:24:36 +0000 (UTC) (envelope-from atom.powers@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45ECF43D49 for ; Tue, 16 May 2006 23:24:36 +0000 (GMT) (envelope-from atom.powers@gmail.com) Received: by nz-out-0102.google.com with SMTP id x3so96968nzd for ; Tue, 16 May 2006 16:24:35 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=TVijmZ94qF22Qi5uDdCf9k2al7dp3oaS3yfBXr8wcDc8x7yvw9Zd+uY1NKs6q6v2H9BzAVqn7/nWPUPZcdkYq5vFNRPol91A5OopZxRdhtTy6jcEWXcEjiT2F6IOfVcC4WDMRBHGkSMBSM5AYJkMtMQdEvL0Ss4BM7Z5OIn7xp0= Received: by 10.65.188.2 with SMTP id q2mr520769qbp; Tue, 16 May 2006 16:24:35 -0700 (PDT) Received: by 10.65.150.9 with HTTP; Tue, 16 May 2006 16:24:35 -0700 (PDT) Message-ID: Date: Tue, 16 May 2006 16:24:35 -0700 From: "Atom Powers" To: "PFS IT" In-Reply-To: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: IPFW - Two External Interfaces X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 23:24:36 -0000 On 5/16/06, PFS IT wrote: > I am attempting to use IPFW (and either IPNAT or natd) to do the followin= g: > > I have two connections to the outside world coming in to my firewall. > em0 has a static ip and is going to a bridged DSL connection, then > bge1 has a static ip and is going to a a few bonded DS1s. bge0 goes to > my internal network. I am attempting to have NAT on both external > interfaces, and have most outbound traffic move across bge1, while > traffic from/to a particular internal system (We'll call it > internal_system for purposes of this message) to/from a particular > remote system (This we'll call remote_system) port 80 moves across > the DSL line on em0. > It was a situation similar to this that made me switch to pf. The NAT features available to IPFW (at least in the past) are/were pretty limited. If you are not committed to IPFW I would strongly recommend pf. --=20 -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- From owner-freebsd-ipfw@FreeBSD.ORG Wed May 17 03:35:54 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5348216A400 for ; Wed, 17 May 2006 03:35:54 +0000 (UTC) (envelope-from dennisolvany@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 888BE43D48 for ; Wed, 17 May 2006 03:35:53 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: by wr-out-0506.google.com with SMTP id i12so125971wra for ; Tue, 16 May 2006 20:35:53 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=nqVfMNCVn/tl0vTNnJ6/9rpW54+DVaNLVrHbK7NBy9c9B7fjvOep+vioveLs3cLAz+jnhxA3psRt3De+Kr3FA9XYCf8b1fz34A7dpZuCr3HbZi9R7ptHIXvZJ1dbhKEOImJeALnf4NUxKtaRxhkgL/K9ulitW4qtCJAgxdAnrKw= Received: by 10.54.118.13 with SMTP id q13mr1907364wrc; Tue, 16 May 2006 20:35:52 -0700 (PDT) Received: from ?195.16.87.34? ( [195.16.87.34]) by mx.gmail.com with ESMTP id 33sm1448203wra.2006.05.16.20.35.51; Tue, 16 May 2006 20:35:52 -0700 (PDT) Message-ID: <446A9A14.30507@gmail.com> Date: Tue, 16 May 2006 22:35:48 -0500 From: Dennis Olvany User-Agent: Thunderbird 1.5 (X11/20060211) MIME-Version: 1.0 To: PFS IT References: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> In-Reply-To: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: IPFW - Two External Interfaces X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 May 2006 03:35:54 -0000 PFS IT wrote: > I am complicating the use of IPFW... > Here is a pretty ascii picture. I drawed it meself. > ISP 1 > [192.168.2.254] > | > | > [bge1:192.168.2.1] > FIREWALL[bge0:10.0.0.1]-------[10.0.0.2]internal_system > [em0:192.168.1.1] > | > | > [192.168.1.254] > ISP 2 > #Send traffic to natd > divert 8869 ip from any to any via bge1 > divert 8868 ip from any to any via em0 > #Send "special" traffic out via em0 > fwd $isp2_gw ip from $internal_system to $remote_system 80 > $internal_system# hping -STp 80 $remote_system > > Should result in a trace across em0 to google From owner-freebsd-ipfw@FreeBSD.ORG Wed May 17 17:02:32 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7B8316A6CF for ; Wed, 17 May 2006 17:02:32 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AE5A43D62 for ; Wed, 17 May 2006 17:02:30 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from localhost (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 96D4124C5BA for ; Wed, 17 May 2006 18:34:25 +0200 (CEST) Date: Wed, 17 May 2006 20:02:34 +0300 From: vladone X-Mailer: The Bat! (v3.80.03) Professional X-Priority: 3 (Normal) Message-ID: <1295471077.20060517200234@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> References: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re: IPFW - Two External Interfaces X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 May 2006 17:02:34 -0000 Hello PFS, Wednesday, May 17, 2006, 12:56:46 AM, you wrote: > I am attempting to use IPFW (and either IPNAT or natd) to do the following: > I have two connections to the outside world coming in to my firewall. > em0 has a static ip and is going to a bridged DSL connection, then > bge1 has a static ip and is going to a a few bonded DS1s. bge0 goes to > my internal network. I am attempting to have NAT on both external > interfaces, and have most outbound traffic move across bge1, while > traffic from/to a particular internal system (We'll call it > internal_system for purposes of this message) to/from a particular > remote system (This we'll call remote_system) port 80 moves across > the DSL line on em0. > Here is an attempt at a pretty ascii picture > ISP 1 > [192.168.2.254] > | > | > [bge1:192.168.2.1] > FIREWALL[bge0:10.0.0.1]-------[10.0.0.2]internal_system > [em0:192.168.1.1] > | > | > [192.168.1.254] > ISP 2 > Here are the rules I've tried using in congunction with natd: > #Send incoming traffic to natd > 00400 divert 8869 ip from any to any in via bge1 > 00450 divert 8868 ip from any to any in via em0 > 00500 check-state > #Check for internal_system port 80 traffic > 0600 skipto 900 from $internal_system to $remote_system 80 > #Send Most Traffic out via bge1 > 00700 divert 8869 ip from $local_net to any in > 00750 divert 8869 ip from $local_net to any out > #Send "special" traffic out via em0 > 00900 divert 8868 ip from $internal_system to $remote_system 80 in > 00950 divert 8868 ip from $remote_system to $remote_system 80 out > #policy route to get traffic to the correct ISP > 02000 fwd $isp2_gw ip from $isp2_ip to any > 02500 fwd $isp1_gw ip from $isp1_ip to any > Two instances of natd are running, one on port 8868 with an alias > address of $isp1_ip, the other is on port 8869 with an alias address > of $isp2_ip > With the above ipfw rules in place, a > $ping -S $isp2_ip google.com > Should result in a ping across em0 to google, however it acts as > though it cannot even reach the $isp2_gw. > I have been able to get everything to work exactly as I want it to > using pf on FreeBSD, but I've been told that ipfw is preferred within In my mind, for an normal situation (two interfaces, one internal, and another external), u need two rules for divert traffic (sometimes only one). In your case, u have two "channels", so u need about four divert rules: divert 8869 ip from any to any in via bge1 divert 8868 ip from any to any in via em0 ........................................... divert 8869 ip from $first_class to any in via bge0 divert 8868 ip from $second_class to any in via bge0 For port forwarding, u can use natd.conf, for each instance. U dont need to forward traffic with fwd. In your example u have six divert rules. Something is wrong. U need to pay atention where put fwd command in relation with divert rules. -- Best regards, vladone mailto:vladone@spaingsm.com From owner-freebsd-ipfw@FreeBSD.ORG Wed May 17 23:14:25 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3CD016A9DE for ; Wed, 17 May 2006 23:14:24 +0000 (UTC) (envelope-from dennisolvany@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.225]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD1B943D5A for ; Wed, 17 May 2006 23:14:23 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: by wr-out-0506.google.com with SMTP id i28so298918wra for ; Wed, 17 May 2006 16:14:23 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=Bs/AqHk1YXttY0aork28daEt9dvetwBjLsZPEmF/PSsz0J2PGXewlUm1/Irgd+JSuITJb241hUjypcR7yu2GmS6nGpNCg+z2v2HNIMp8sGMUAifY8zGpdGaFZP6gYB2tULoYDNhCEplWY6hC2loCVbswzZuVIhMBiqLx1XZzHyo= Received: by 10.54.127.16 with SMTP id z16mr1692961wrc; Wed, 17 May 2006 16:14:23 -0700 (PDT) Received: from ?195.16.87.34? ( [195.16.87.34]) by mx.gmail.com with ESMTP id 65sm139161wra.2006.05.17.16.14.20; Wed, 17 May 2006 16:14:22 -0700 (PDT) Message-ID: <446BAE4A.3020802@gmail.com> Date: Wed, 17 May 2006 18:14:18 -0500 From: Dennis Olvany User-Agent: Thunderbird 1.5 (X11/20060211) MIME-Version: 1.0 To: PFS IT References: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> In-Reply-To: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: IPFW - Two External Interfaces X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 May 2006 23:14:25 -0000 > ISP 1 > [192.168.2.254] > | > | > [bge1:192.168.2.1] > FIREWALL[bge0:10.0.0.1]-------[10.0.0.2]internal_system > [em0:192.168.1.1] > | > | > [192.168.1.254] > ISP 2 Actually, if you bridge the NICs, you may be able to get something going as referenced at the link. http://www.mail-archive.com/freebsd-ipfw@freebsd.org/msg00539.html From owner-freebsd-ipfw@FreeBSD.ORG Fri May 19 03:54:00 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E91D16A41F for ; Fri, 19 May 2006 03:54:00 +0000 (UTC) (envelope-from pfsbsd@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7646543D46 for ; Fri, 19 May 2006 03:53:59 +0000 (GMT) (envelope-from pfsbsd@gmail.com) Received: by ug-out-1314.google.com with SMTP id m3so649702uge for ; Thu, 18 May 2006 20:53:58 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=rL1Qi98W8XKZ/nR11PTC3+wX2PuGs+DLoONLps4JtC3g4zVDXOmFZfbKDpbv9mKz4sLTQBSO05mQU4VZ1Hy+CJrwHIxVyGR3hr1kzHXbXwqJA7FSwLg03s72PnwoMUTlvMm7UoUVykT/BwO5cOcoHVhsIiJZ+3oWNQISdX0hnZM= Received: by 10.66.252.4 with SMTP id z4mr1079317ugh; Thu, 18 May 2006 20:53:57 -0700 (PDT) Received: by 10.66.234.12 with HTTP; Thu, 18 May 2006 20:53:57 -0700 (PDT) Message-ID: <996142470605182053j3cdd06b4v2f28a424edd0cbdc@mail.gmail.com> Date: Thu, 18 May 2006 23:53:57 -0400 From: "PFS IT" To: Matthew In-Reply-To: <001c01c67945$b770dfd0$af00a8c0@orange> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> <001c01c67945$b770dfd0$af00a8c0@orange> Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW - Two External Interfaces X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2006 03:54:00 -0000 On 5/16/06, Matthew wrote: > I recommend you install tcptraceroute: /usr/ports/net/tcptraceroute/ > > tcptraceroute will let you specify the interface so you can test your > configuration. > > For example, I have a FWD rule: > ipfw add 420 fwd 192.168.10.10 tcp from 84.16.244.0/24 to any > > [root@c3p0][~]$ tcptraceroute -s 84.16.244.178 -i gif0 www.google.com > Selected device gif0, address 84.16.244.178, port 12154 for outgoing pack= ets > Tracing the path to www.google.com (72.14.203.99) on TCP port 80, 30 hops > max > 1 192.168.10.10 (192.168.10.10) 107.013 ms 106.731 ms 106.697 ms > 2 fragw.gatewayrouter.net (84.16.224.1) 107.287 ms 107.211 ms 107.35= 2 > ms > 3 fragw1.gatewayrouter.net (217.20.117.10) 106.937 ms 107.240 ms > 106.986 ms > 4 rtr-1.decix-germany.eweka.nl (80.81.192.224) 107.090 ms 107.509 ms > 107.103 ms > > -- Matthew > > This really highlights my problem that traffic with a source ip of 192.168.1.1 isn't being forwarded properly to 192.168.1.254. I have removed all my NAT related rules for testing and have just the following: ipfw -f flush ipfw -f pipe flush ipfw add fwd 192.168.1.254 tcp from 192.168.1.1 to any ipfw add allow all from any to any When I do a tcptraceroute as outlined above: $sudo tcptraceroute -s 192.168.1.1 -i em0 google.com Selected device em0, address 192.168.1.1, port 56472 for outgoing packets Tracing the path to google.com (72.14.207.99) on TCP port 80, 30 hops max 1 * * * I get nowhere. I can get out just fine on bge1, since 192.168.2.254 is my default gateway on the machine. I am starting to feel like the fwd directive is simply broken on this machine... Could there be some kernel options that I'm missing? Are there any other places I should look for something silly that might be breaking forward? Again, this did in fact work with pf on this machine, due to "policy" I need to get it working in ipfw. Jared Baldridge From owner-freebsd-ipfw@FreeBSD.ORG Fri May 19 17:36:55 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6857316A420 for ; Fri, 19 May 2006 17:36:55 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF74643D72 for ; Fri, 19 May 2006 17:36:48 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from localhost (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 38D2F24C5F8 for ; Fri, 19 May 2006 19:08:27 +0200 (CEST) Date: Fri, 19 May 2006 20:36:44 +0300 From: vladone X-Mailer: The Bat! (v3.80.03) Professional X-Priority: 3 (Normal) Message-ID: <1892564672.20060519203644@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: <996142470605182053j3cdd06b4v2f28a424edd0cbdc@mail.gmail.com> References: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> <001c01c67945$b770dfd0$af00a8c0@orange> <996142470605182053j3cdd06b4v2f28a424edd0cbdc@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Cc: Subject: Re[2]: IPFW - Two External Interfaces X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2006 17:36:55 -0000 Hello PFS, Friday, May 19, 2006, 6:53:57 AM, you wrote: > On 5/16/06, Matthew wrote: >> I recommend you install tcptraceroute: /usr/ports/net/tcptraceroute/ >> >> tcptraceroute will let you specify the interface so you can test your >> configuration. >> >> For example, I have a FWD rule: >> ipfw add 420 fwd 192.168.10.10 tcp from 84.16.244.0/24 to any >> >> [root@c3p0][~]$ tcptraceroute -s 84.16.244.178 -i gif0 www.google.com >> Selected device gif0, address 84.16.244.178, port 12154 for outgoing pac= kets >> Tracing the path to www.google.com (72.14.203.99) on TCP port 80, 30 hops >> max >> 1 192.168.10.10 (192.168.10.10) 107.013 ms 106.731 ms 106.697 ms >> 2 fragw.gatewayrouter.net (84.16.224.1) 107.287 ms 107.211 ms 107.3= 52 >> ms >> 3 fragw1.gatewayrouter.net (217.20.117.10) 106.937 ms 107.240 ms >> 106.986 ms >> 4 rtr-1.decix-germany.eweka.nl (80.81.192.224) 107.090 ms 107.509 ms >> 107.103 ms >> >> -- Matthew >> >> > This really highlights my problem that traffic with a source ip of > 192.168.1.1 isn't being forwarded properly to 192.168.1.254. I have > removed all my NAT related rules for testing and have just the > following: > ipfw -f flush > ipfw -f pipe flush > ipfw add fwd 192.168.1.254 tcp from 192.168.1.1 to any > ipfw add allow all from any to any > When I do a tcptraceroute as outlined above: > $sudo tcptraceroute -s 192.168.1.1 -i em0 google.com > Selected device em0, address 192.168.1.1, port 56472 for outgoing packets > Tracing the path to google.com (72.14.207.99) on TCP port 80, 30 hops max > 1 * * * > I get nowhere. > I can get out just fine on bge1, since 192.168.2.254 is my default > gateway on the machine. > I am starting to feel like the fwd directive is simply broken on this > machine... Could there be some kernel options that I'm missing? Are > there any other places I should look for something silly that might be > breaking forward? Again, this did in fact work with pf on this > machine, due to "policy" I need to get it working in ipfw. > Jared Baldridge > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" Try with simply configuration. In your situation, you NEED to put at leat one divert rule because u have an router. For beginning, u dont need to use fwd. Try to work with route command. From=20man ipfw: " .............. The fwd action does not change the contents of the packet at all. In particular, the destination address remains unmodified, so packets forwarded to another system will usually be rejected by that system unless there is a matching rule on that system to capture them. .............. " I think that u have an problem with route's in that machine In relation with choice ipfw vs. pf, who know what u use? :) Explain that some thinks can be done with pf and anothers with ipfw. Pf have some problems, in older versions freebsd. What version use? 6.0 have some bugs, try 5.4 or 6.1 --=20 Best regards, vladone mailto:vladone@spaingsm.com From owner-freebsd-ipfw@FreeBSD.ORG Fri May 19 17:39:46 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DC6216A4CC for ; Fri, 19 May 2006 17:39:46 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3A1A43D6A for ; Fri, 19 May 2006 17:39:43 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from localhost (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id DAD5824C5F8 for ; Fri, 19 May 2006 19:11:23 +0200 (CEST) Date: Fri, 19 May 2006 20:39:42 +0300 From: vladone X-Mailer: The Bat! (v3.80.03) Professional X-Priority: 3 (Normal) Message-ID: <1482841695.20060519203942@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: <996142470605182053j3cdd06b4v2f28a424edd0cbdc@mail.gmail.com> References: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> <001c01c67945$b770dfd0$af00a8c0@orange> <996142470605182053j3cdd06b4v2f28a424edd0cbdc@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re[2]: IPFW - Two External Interfaces X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2006 17:39:48 -0000 Hello PFS, Friday, May 19, 2006, 6:53:57 AM, you wrote: > On 5/16/06, Matthew wrote: >> I recommend you install tcptraceroute: /usr/ports/net/tcptraceroute/ >> >> tcptraceroute will let you specify the interface so you can test your >> configuration. >> >> For example, I have a FWD rule: >> ipfw add 420 fwd 192.168.10.10 tcp from 84.16.244.0/24 to any >> >> [root@c3p0][~]$ tcptraceroute -s 84.16.244.178 -i gif0 www.google.com >> Selected device gif0, address 84.16.244.178, port 12154 for outgoing packets >> Tracing the path to www.google.com (72.14.203.99) on TCP port 80, 30 hops >> max >> 1 192.168.10.10 (192.168.10.10) 107.013 ms 106.731 ms 106.697 ms >> 2 fragw.gatewayrouter.net (84.16.224.1) 107.287 ms 107.211 ms 107.352 >> ms >> 3 fragw1.gatewayrouter.net (217.20.117.10) 106.937 ms 107.240 ms >> 106.986 ms >> 4 rtr-1.decix-germany.eweka.nl (80.81.192.224) 107.090 ms 107.509 ms >> 107.103 ms >> >> -- Matthew >> >> > This really highlights my problem that traffic with a source ip of > 192.168.1.1 isn't being forwarded properly to 192.168.1.254. I have > removed all my NAT related rules for testing and have just the > following: > ipfw -f flush > ipfw -f pipe flush > ipfw add fwd 192.168.1.254 tcp from 192.168.1.1 to any > ipfw add allow all from any to any > When I do a tcptraceroute as outlined above: > $sudo tcptraceroute -s 192.168.1.1 -i em0 google.com > Selected device em0, address 192.168.1.1, port 56472 for outgoing packets > Tracing the path to google.com (72.14.207.99) on TCP port 80, 30 hops max > 1 * * * > I get nowhere. > I can get out just fine on bge1, since 192.168.2.254 is my default > gateway on the machine. > I am starting to feel like the fwd directive is simply broken on this > machine... Could there be some kernel options that I'm missing? Are > there any other places I should look for something silly that might be > breaking forward? Again, this did in fact work with pf on this > machine, due to "policy" I need to get it working in ipfw. > Jared Baldridge > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" And again from man ipfw: " .............. If ipaddr is not a local address, then the port number (if speci- fied) is ignored, and the packet will be forwarded to the remote address, using the route as found in the local routing table for that IP. ............... " so, again about route's. -- Best regards, vladone mailto:vladone@spaingsm.com From owner-freebsd-ipfw@FreeBSD.ORG Fri May 19 18:05:51 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0C8216A428 for ; Fri, 19 May 2006 18:05:51 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9309743D48 for ; Fri, 19 May 2006 18:05:51 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from localhost (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 217A924C5FA for ; Fri, 19 May 2006 19:37:31 +0200 (CEST) Date: Fri, 19 May 2006 21:05:49 +0300 From: vladone X-Mailer: The Bat! (v3.80.03) Professional X-Priority: 3 (Normal) Message-ID: <55822942.20060519210549@spaingsm.com> To: ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: question about pipe and queue used in dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2006 18:05:52 -0000 Know anybody if dummynet use an queuing discipline when congestion is anticipated, to alert the sender to slow down? Or a little explain about how to work dummynet? -- Best regards, vladone mailto:vladone@spaingsm.com From owner-freebsd-ipfw@FreeBSD.ORG Fri May 19 22:59:20 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B72816A46A for ; Fri, 19 May 2006 22:59:20 +0000 (UTC) (envelope-from andywhite@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81A6C43D49 for ; Fri, 19 May 2006 22:59:19 +0000 (GMT) (envelope-from andywhite@gmail.com) Received: by nz-out-0102.google.com with SMTP id l8so553089nzf for ; Fri, 19 May 2006 15:59:18 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=XQf77K635s0k9/lAhFN2/RKzdo2y5ZvFj4jKsHw5EYbbeQYwRNc/Yf12w3I51LXCUE/oW7uPgomHkfSRDE5q5bncczug74XsGrYhRz4qEoNpINUTPJFJt60Omsij0+7gUlx8AeVWS+vVt1qIkUdtiwgEBN+VqbIqTitSLabz0zQ= Received: by 10.36.42.17 with SMTP id p17mr1918594nzp; Fri, 19 May 2006 15:59:18 -0700 (PDT) Received: by 10.36.159.10 with HTTP; Fri, 19 May 2006 15:59:18 -0700 (PDT) Message-ID: Date: Fri, 19 May 2006 15:59:18 -0700 From: "Andrew White" To: "PFS IT" In-Reply-To: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> MIME-Version: 1.0 References: <996142470605161456n46e43682x392b1f4f2ccfec73@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: IPFW - Two External Interfaces X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 May 2006 22:59:20 -0000 your rules don't forward ping to isp2, only port 80 ... try 00400 divert 8869 ip from any to any in via bge1 00450 divert 8868 ip from any to any in via em0 00500 check-state #Check for internal_system port 80 traffic 0600 skipto 900 from $internal_system to $remote_system 80 keep-state #Send Most Traffic out via bge1 00700 divert 8869 ip from $local_net to any in keep-state 00750 divert 8869 ip from $local_net to any out keep-state #Send "special" traffic out via em0 00900 divert 8868 ip from $local_net to any in 00950 divert 8868 ip from $local_net to any out #policy route to get traffic to the correct ISP 02000 fwd $isp2_gw ip from $isp2_ip to any 02500 fwd $isp1_gw ip from $isp1_ip to any 65000 allow ip from any to any --- the key to this config is line 600, what ever it matches will go to line 70= 0 and get the isp address, then get routed to isp 2. With this config a ping won't match, only a port 80 or http request ... .Andrew On 5/16/06, PFS IT wrote: > > I am attempting to use IPFW (and either IPNAT or natd) to do the > following: > > I have two connections to the outside world coming in to my firewall. > em0 has a static ip and is going to a bridged DSL connection, then > bge1 has a static ip and is going to a a few bonded DS1s. bge0 goes to > my internal network. I am attempting to have NAT on both external > interfaces, and have most outbound traffic move across bge1, while > traffic from/to a particular internal system (We'll call it > internal_system for purposes of this message) to/from a particular > remote system (This we'll call remote_system) port 80 moves across > the DSL line on em0. > > Here is an attempt at a pretty ascii picture > > > ISP 1 > [192.168.2.254] > | > | > [bge1:192.168.2.1] > FIREWALL[bge0:10.0.0.1]-------[10.0.0.2]internal_system > [em0:192.168.1.1] > | > | > [192.168.1.254] > ISP 2 > > Here are the rules I've tried using in congunction with natd: > > #Send incoming traffic to natd > 00400 divert 8869 ip from any to any in via bge1 > 00450 divert 8868 ip from any to any in via em0 > 00500 check-state > > #Check for internal_system port 80 traffic > 0600 skipto 900 from $internal_system to $remote_system 80 > > #Send Most Traffic out via bge1 > 00700 divert 8869 ip from $local_net to any in > 00750 divert 8869 ip from $local_net to any out > > #Send "special" traffic out via em0 > 00900 divert 8868 ip from $internal_system to $remote_system 80 in > 00950 divert 8868 ip from $remote_system to $remote_system 80 out > > #policy route to get traffic to the correct ISP > 02000 fwd $isp2_gw ip from $isp2_ip to any > 02500 fwd $isp1_gw ip from $isp1_ip to any > > > Two instances of natd are running, one on port 8868 with an alias > address of $isp1_ip, the other is on port 8869 with an alias address > of $isp2_ip > > With the above ipfw rules in place, a > > $ping -S $isp2_ip google.com > > Should result in a ping across em0 to google, however it acts as > though it cannot even reach the $isp2_gw. > > I have been able to get everything to work exactly as I want it to > using pf on FreeBSD, but I've been told that ipfw is preferred within > the organization. > > > Any suggestions would be greatly appreciated. > > > Jared Baldridge > Systems Administrator > PFS > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >