From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 22 19:16:00 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B5AC16A416; Sun, 22 Oct 2006 19:16:00 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A35A43D5A; Sun, 22 Oct 2006 19:16:00 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k9MJFxqC037716; Sun, 22 Oct 2006 19:15:59 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k9MJFxQQ037712; Sun, 22 Oct 2006 19:15:59 GMT (envelope-from linimon) Date: Sun, 22 Oct 2006 19:15:59 GMT From: Mark Linimon Message-Id: <200610221915.k9MJFxQQ037712@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/104682: [ipfw] [patch] Some minor language consistency fixes and whitespace nits X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Oct 2006 19:16:00 -0000 Synopsis: [ipfw] [patch] Some minor language consistency fixes and whitespace nits Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Sun Oct 22 19:15:51 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=104682 From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 23 11:08:22 2006 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08C7216A4A0 for ; Mon, 23 Oct 2006 11:08:22 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A27143D49 for ; Mon, 23 Oct 2006 11:08:21 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k9NB8L6a027681 for ; Mon, 23 Oct 2006 11:08:21 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k9NB8Kfd027677 for freebsd-ipfw@FreeBSD.org; Mon, 23 Oct 2006 11:08:20 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 23 Oct 2006 11:08:20 GMT Message-Id: <200610231108.k9NB8Kfd027677@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2006 11:08:22 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent f kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from any to any ic o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewal o bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC addr arg wit o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the 14 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw sugestions about ipfw table p kern/103967 ipfw [ipfw] [patch] ipfw2 limit src-addr logging is not suf o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a 19 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 23 16:59:27 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1921616A492 for ; Mon, 23 Oct 2006 16:59:27 +0000 (UTC) (envelope-from eternityos@free.fr) Received: from smtp3-g19.free.fr (smtp3-g19.free.fr [212.27.42.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD45543DAE for ; Mon, 23 Oct 2006 16:58:34 +0000 (GMT) (envelope-from eternityos@free.fr) Received: from imp7-g19.free.fr (imp7-g19.free.fr [212.27.42.38]) by smtp3-g19.free.fr (Postfix) with ESMTP id BFF8E49846 for ; Mon, 23 Oct 2006 18:58:33 +0200 (CEST) Received: by imp7-g19.free.fr (Postfix, from userid 33) id B72909425; Mon, 23 Oct 2006 18:58:33 +0200 (CEST) Received: from 201.38.238.66 ([201.38.238.66]) by imp7-g19.free.fr (IMP) with HTTP for ; Mon, 23 Oct 2006 18:58:33 +0200 Message-ID: <1161622713.453cf4b9a2299@imp7-g19.free.fr> Date: Mon, 23 Oct 2006 18:58:33 +0200 From: eternityos@free.fr To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.5 X-Originating-IP: 201.38.238.66 Subject: pf's "borrow" equivalent X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2006 16:59:27 -0000 Hi everyone, I'm new to this list, I use ipfw+dummynet for traffic shaping. I'm having an issue... I have two users that share a same pipe of 128Kbit/s, so when a user is not using internet, the other gets 128KBit/s. Now my issue is, when both users use internet at the same time, let's say user A is using a P2P software and user B simply surfing the web. Logicaly, user A is taking the whole bandwidth and user B is having issues surfing. I want to guarantee at least 64K, so user A will have at least 64K when using internet. I already asked about this in #freebsd channel in freenode.... and I been answered "use pf's borrow option". So, is there a pf's borrow option equivalent in pf or any other way to deal with this issue ? Thanks in advance :) Pierre. From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 23 17:38:18 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9071F16A606 for ; Mon, 23 Oct 2006 17:38:18 +0000 (UTC) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (ns2.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CD6D43D91 for ; Mon, 23 Oct 2006 17:38:00 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.63 #0 (FreeBSD 4.11-STABLE)) id 1Gc3kJ-0005Yb-LM by authid for ; Mon, 23 Oct 2006 20:37:55 +0300 Date: Mon, 23 Oct 2006 20:37:55 +0300 From: Odhiambo WASHINGTON To: freebsd-ipfw@freebsd.org Message-ID: <20061023173755.GH66947@ns2.wananchi.com> References: <1161622713.453cf4b9a2299@imp7-g19.free.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1161622713.453cf4b9a2299@imp7-g19.free.fr> X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.13 (2006-08-11) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.13 (2006-08-11) Sender: Odhiambo Washington Subject: Re: pf's "borrow" equivalent X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2006 17:38:18 -0000 * On 23/10/06 18:58 +0200, eternityos@free.fr wrote: | | | Hi everyone, | | I'm new to this list, I use ipfw+dummynet for traffic shaping. | I'm having an issue... | I have two users that share a same pipe of 128Kbit/s, so when a user is | not using internet, the other gets 128KBit/s. | | Now my issue is, when both users use internet at the same time, let's say | user A is using a P2P software and user B simply surfing the web. | | Logicaly, user A is taking the whole bandwidth and user B is having issues | surfing. | | I want to guarantee at least 64K, so user A will have at least 64K when using | internet. | | I already asked about this in #freebsd channel in freenode.... and I been | answered | "use pf's borrow option". There is a very good tutorial here: http://alex.kruijff.org/FreeBSD/Firewall_Setup.html The rules will guarantee that each user gets equal share of the available bandwidth ;) -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ //GO.SYSIN DD *, DOODAH, DOODAH From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 23 22:23:02 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEDF916A407 for ; Mon, 23 Oct 2006 22:23:02 +0000 (UTC) (envelope-from eternityos@free.fr) Received: from smtp4-g19.free.fr (smtp4-g19.free.fr [212.27.42.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEE9B43D53 for ; Mon, 23 Oct 2006 22:23:01 +0000 (GMT) (envelope-from eternityos@free.fr) Received: from imp6-g19.free.fr (imp6-g19.free.fr [212.27.42.6]) by smtp4-g19.free.fr (Postfix) with ESMTP id 2C5CC33BD7 for ; Tue, 24 Oct 2006 00:23:01 +0200 (CEST) Received: by imp6-g19.free.fr (Postfix, from userid 33) id E57988E7F; Tue, 24 Oct 2006 00:23:00 +0200 (CEST) Received: from 201.38.238.66 ([201.38.238.66]) by imp6-g19.free.fr (IMP) with HTTP for ; Tue, 24 Oct 2006 00:23:00 +0200 Message-ID: <1161642180.453d40c4d48f7@imp6-g19.free.fr> Date: Tue, 24 Oct 2006 00:23:00 +0200 From: eternityos@free.fr To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.5 X-Originating-IP: 201.38.238.66 Subject: Re: pf's "borrow" equivalent X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2006 22:23:02 -0000 Hi! Thank you for your answer, I seen this link, I already have most of this... What i really need to know is the principle of having 2 persons using a same pipe but having a repartited bandwidth when both are using internet and having full bandwidth of this pipe when only one user is using this bandwidth. I seen in the link you pointed this: pipe 2 config queue QUEUE_DOWN bw BANDWIDTH_DOWN queue 3 config queue QUEUE_DOWN pipe 2 mask dst-ip 0xffffffff weight 1 mask all queue 4 config queue QUEUE_DOWN pipe 2 mask dst-ip 0xffffffff weight 100 Is this what I am looking for ? If yes, would this mean that in my case, I need my users to have 2 queues of the same weight on one pipe ? I have read the dummynet documentation and I'm still a bit confused about what the weight is for... Thanks a lot :) Pierre. Odhiambo WASHINGTON wrote: >* On 23/10/06 18:58 +0200, eternityos@free.fr wrote: >| >| >| Hi everyone, >| >| I'm new to this list, I use ipfw+dummynet for traffic shaping. >| I'm having an issue... >| I have two users that share a same pipe of 128Kbit/s, so when a user is >| not using internet, the other gets 128KBit/s. >| >| Now my issue is, when both users use internet at the same time, let's say >| user A is using a P2P software and user B simply surfing the web. >| >| Logicaly, user A is taking the whole bandwidth and user B is having issues >| surfing. >| >| I want to guarantee at least 64K, so user A will have at least 64K when using >| internet. >| >| I already asked about this in #freebsd channel in freenode.... and I been >| answered >| "use pf's borrow option". > >There is a very good tutorial here: > >http://alex.kruijff.org/FreeBSD/Firewall_Setup.html > >The rules will guarantee that each user gets equal share of the >available bandwidth ;) > > >-Wash > >http://www.netmeister.org/news/learn2quote.html > >DISCLAIMER: See http://www.wananchi.com/bms/terms.php > >-- >+======================================================================+ > |\ _,,,---,,_ | Odhiambo Washington >Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com > |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 > '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 >+======================================================================+ > >//GO.SYSIN DD *, DOODAH, DOODAH >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 24 10:53:38 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E15916A403; Tue, 24 Oct 2006 10:53:38 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mx18.yandex.ru (smtp2.yandex.ru [213.180.200.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E15E43D5C; Tue, 24 Oct 2006 10:53:36 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from mail.kirov.so-cdu.ru ([81.18.142.225]:59410 "EHLO [127.0.0.1]" smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256 version TLSv1/SSLv3" TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S3377745AbWJXKxa (ORCPT + 1 other); Tue, 24 Oct 2006 14:53:30 +0400 X-Comment: RFC 2476 MSA function at smtp2.yandex.ru logged sender identity as: bu7cher Message-ID: <453DF0A7.6030700@yandex.ru> Date: Tue, 24 Oct 2006 14:53:27 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: Luigi Rizzo , Oleg Bulyzhin , Julian Elischer Subject: ipfw tracing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2006 10:53:38 -0000 Hi, All! I've make a small patch that add a rule action tracing feature to ipfw2. http://butcher.heavennet.ru/patches/kernel/ipfw_trace/ This patch can be usefull when you have too many ipfw-rules. When some packets not pass ipfw - It is not easy to determine rule which block these packets. How to use: # ipfw add 1 count tag # sysctl net.inet.ip.fw.trace_tag= # tail -f /var/log/security - some tag number - rule for matching needed packets What you think about that? -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 24 20:05:26 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFF6116A47B; Tue, 24 Oct 2006 20:05:26 +0000 (UTC) (envelope-from prvs=julian=445c89c70@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2536E43D9A; Tue, 24 Oct 2006 20:05:17 +0000 (GMT) (envelope-from prvs=julian=445c89c70@elischer.org) Received: from unknown (HELO [192.168.2.5]) ([10.251.60.28]) by a50.ironport.com with ESMTP; 24 Oct 2006 13:05:12 -0700 Message-ID: <453E71F8.7020809@elischer.org> Date: Tue, 24 Oct 2006 13:05:12 -0700 From: Julian Elischer User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909) MIME-Version: 1.0 To: "Andrey V. Elsukov" References: <453DF0A7.6030700@yandex.ru> In-Reply-To: <453DF0A7.6030700@yandex.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, Oleg Bulyzhin , Luigi Rizzo Subject: Re: ipfw tracing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2006 20:05:27 -0000 Andrey V. Elsukov wrote: > Hi, All! > > I've make a small patch that add a rule action > tracing feature to ipfw2. > > http://butcher.heavennet.ru/patches/kernel/ipfw_trace/ > > This patch can be usefull when you have too many > ipfw-rules. When some packets not pass ipfw - It is not > easy to determine rule which block these packets. > > How to use: > > # ipfw add 1 count tag > # sysctl net.inet.ip.fw.trace_tag= > # tail -f /var/log/security > > - some tag number > - rule for matching needed packets > > What you think about that? > Can you show some sample usage and output? From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 25 05:12:49 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 488A616A412; Wed, 25 Oct 2006 05:12:49 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mx18.yandex.ru (smtp2.yandex.ru [213.180.200.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 198A443D53; Wed, 25 Oct 2006 05:12:47 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from mail.kirov.so-cdu.ru ([81.18.142.225]:22532 "EHLO [127.0.0.1]" smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256 version TLSv1/SSLv3" TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S3377276AbWJYFMg (ORCPT + 1 other); Wed, 25 Oct 2006 09:12:36 +0400 X-Comment: RFC 2476 MSA function at smtp2.yandex.ru logged sender identity as: bu7cher Message-ID: <453EF241.4020706@yandex.ru> Date: Wed, 25 Oct 2006 09:12:33 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: Julian Elischer References: <453DF0A7.6030700@yandex.ru> <453E71F8.7020809@elischer.org> In-Reply-To: <453E71F8.7020809@elischer.org> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, Oleg Bulyzhin , Luigi Rizzo Subject: Re: ipfw tracing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2006 05:12:49 -0000 Julian Elischer wrote: >> What you think about that? >> > Can you show some sample usage and output? Sorry, i don't have patched ipfw on production servers and can show only syntetic example. Let us suppose that we have a lots of rules on the our gateway (allow, deny, skipto, pipe, divert, etc). And we have a task - permit an access from some host A to some host B. This can be easy by adding a permit rule into some place at the head of rules. But i got used to store some related rules in the blocks and don't want to have a random sequences of rules. The tracing is simple way to determine which a rules process our packets. We add a tagging rule in the head of rules and begin tracing. Example: # ipfw add 1 count tag 123 ip from any to 239.192.2.21 # sysctl net.inet.ip.fw.trace_tag=123 # tail -f /var/log/security Oct 25 09:08:07 btr-nb kernel: ipfw: 1 Count UDP 172.21.81.221:1102 239.192.2.21:4545 in via nve0 Oct 25 09:08:07 btr-nb kernel: ipfw: 1014 SkipTo 2050 UDP 172.21.81.221:1102 239.192.2.21:4545 in via nve0 Oct 25 09:08:07 btr-nb kernel: ipfw: 65535 Deny UDP 172.21.81.221:1102 239.192.2.21:4545 in via nve0 Oct 25 09:08:08 btr-nb kernel: ipfw: 1 Count UDP 172.21.81.222:1089 239.192.2.21:4545 in via nve0 Oct 25 09:08:08 btr-nb kernel: ipfw: 1014 SkipTo 2050 UDP 172.21.81.222:1089 239.192.2.21:4545 in via nve0 Oct 25 09:08:08 btr-nb kernel: ipfw: 65535 Deny UDP 172.21.81.222:1089 239.192.2.21:4545 in via nve0 I think this feature can be usable, but needed some limiting.. -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 26 15:14:23 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E613916A403 for ; Thu, 26 Oct 2006 15:14:23 +0000 (UTC) (envelope-from eugen@www.svzserv.kemerovo.su) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1229243D6D for ; Thu, 26 Oct 2006 15:14:22 +0000 (GMT) (envelope-from eugen@www.svzserv.kemerovo.su) Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1]) by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id k9QFEEBr052361; Thu, 26 Oct 2006 23:14:14 +0800 (KRAST) (envelope-from eugen@www.svzserv.kemerovo.su) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.13.8/8.13.8/Submit) id k9QFEEPO052360; Thu, 26 Oct 2006 23:14:14 +0800 (KRAST) (envelope-from eugen) Date: Thu, 26 Oct 2006 23:14:14 +0800 From: Eugene Grosbein To: ipfw@freebsd.org Message-ID: <20061026151414.GA52181@svzserv.kemerovo.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1161622713.453cf4b9a2299@imp7-g19.free.fr> User-Agent: Mutt/1.4.2.1i Cc: eternityos@free.fr Subject: Re: pf's "borrow" equivalent X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Oct 2006 15:14:24 -0000 > I want to guarantee at least 64K, so user A will have at least 64K when > using internet. You want to give equal priorities to both users so just make two dumminet queues with equal weights and connect them to your pipe. Then direct traffic of users to distinct queues and not to pipe directly. So there will be a competition of two flows inside a pipe and WFQ algorithm implemented within dummynet will take care of the rest. Eugene Grosbein From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 28 12:19:21 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FBDB16A403 for ; Sat, 28 Oct 2006 12:19:21 +0000 (UTC) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (ns2.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03C9F43D5D for ; Sat, 28 Oct 2006 12:19:18 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.63 #0 (FreeBSD 4.11-STABLE)) id 1Gdn9e-000LbV-Rz by authid for ; Sat, 28 Oct 2006 15:19:14 +0300 Date: Sat, 28 Oct 2006 15:19:14 +0300 From: Odhiambo WASHINGTON To: freebsd-ipfw@freebsd.org Message-ID: <20061028121914.GA79793@ns2.wananchi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.13 (2006-08-11) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.13 (2006-08-11) Sender: Odhiambo Washington Subject: How do I do this with IPFW2? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Oct 2006 12:19:21 -0000 Here is my network definition, with two IP blocks. my_ip_blocks = "62.8.64.0/19 196.200.32.0/20" I'd like to do something like below: ipfw pipe 1 config bw 1024Kbit/s ipfw add pipe 1 tcp from me to not $my_ip_blocks 25 What I can't find is how to _correctly_ define my_ip_blocks in the rule in a way ipfw2 will accept. Thank you. -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ Beware of self-styled experts: an ex is a has-been, and a spurt is a drip under pressure. From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 28 14:07:36 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 284CE16A403 for ; Sat, 28 Oct 2006 14:07:36 +0000 (UTC) (envelope-from joe@joeholden.co.uk) Received: from claire.ber.rewt.org.uk (claire.ber.rewt.org.uk [217.160.200.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F9E943D8C for ; Sat, 28 Oct 2006 14:07:26 +0000 (GMT) (envelope-from joe@joeholden.co.uk) Received: from localhost (localhost [127.0.0.1]) by claire.ber.rewt.org.uk (Postfix) with ESMTP id A00B01400090; Sat, 28 Oct 2006 15:07:23 +0100 (BST) X-Virus-Scanned: Scanned at claire.ber.rewt.org.uk Received: from claire.ber.rewt.org.uk ([127.0.0.1]) by localhost (claire.ber.rewt.org.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sFR61SjJTwqh; Sat, 28 Oct 2006 15:07:15 +0100 (BST) Received: from [10.2.1.120] (cpvirtual.operatelecom.com [62.232.41.245]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: joe) by claire.ber.rewt.org.uk (Postfix) with ESMTP id D17B7140008E; Sat, 28 Oct 2006 15:07:14 +0100 (BST) Message-ID: <4543640E.1060808@joeholden.co.uk> Date: Sat, 28 Oct 2006 15:07:10 +0100 From: Joe Holden Organization: joe@joeholden.co.uk User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: Odhiambo WASHINGTON References: <20061028121914.GA79793@ns2.wananchi.com> In-Reply-To: <20061028121914.GA79793@ns2.wananchi.com> X-Enigmail-Version: 0.94.1.0 OpenPGP: id=13A6D1E7 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig4EA24D498A97B47FEAB8CFFB" Cc: freebsd-ipfw@freebsd.org Subject: Re: How do I do this with IPFW2? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Oct 2006 14:07:36 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4EA24D498A97B47FEAB8CFFB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Odhiambo WASHINGTON wrote: > Here is my network definition, with two IP blocks. >=20 > my_ip_blocks =3D "62.8.64.0/19 196.200.32.0/20" >=20 > I'd like to do something like below: >=20 > ipfw pipe 1 config bw 1024Kbit/s > ipfw add pipe 1 tcp from me to not $my_ip_blocks 25 >=20 >=20 > What I can't find is how to _correctly_ define my_ip_blocks > in the rule in a way ipfw2 will accept. >=20 What release? I know the following will work in -CURRENT (Courtesy of the manual pages for IPFW): my_ip_blocks=3D"62.8.64.0/19, 196.200.32.0/20" ipfw pipe 1 config bw 1024Kbit/s ipfw add pipe 1 tcp from me to not $my_ip_blocks 25 HTH Joe --------------enig4EA24D498A97B47FEAB8CFFB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFQ2QRdQJXshOm0ecRAm/VAJ4lqov6C6vTM8mU+vIRoIpdybt+2gCfX+/u NkFxWPBhmwYiz6VgHcflxpk= =wgHi -----END PGP SIGNATURE----- --------------enig4EA24D498A97B47FEAB8CFFB-- From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 28 20:22:36 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBA0516A415 for ; Sat, 28 Oct 2006 20:22:36 +0000 (UTC) (envelope-from listas@itm.net.br) Received: from venom.itm.net.br (venom.itm.net.br [201.30.187.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1ECD43D49 for ; Sat, 28 Oct 2006 20:22:35 +0000 (GMT) (envelope-from listas@itm.net.br) Received: (qmail 66735 invoked by uid 89); 28 Oct 2006 20:22:33 -0000 Received: by simscan 1.2.0 ppid: 66722, pid: 66724, t: 3.8483s scanners: attach: 1.2.0 clamav: 0.88.3/m:39/d:1644 spam: 3.1.3 X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on venom.itm.net.br X-Spam-Level: X-Spam-Status: No, score=-4.4 required=7.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.3 Received: from 201-20-160-70.itm.net.br (HELO IRONMAN) (listas@itm.net.br@201.20.160.70) by venom.itm.net.br with ESMTPA; 28 Oct 2006 20:22:29 -0000 Message-ID: <1E0F9590A9E14B4A92C4ECBDD0659B5D@IRONMAN> From: "Cesar Fazan" To: "Odhiambo WASHINGTON" , References: <20061028121914.GA79793@ns2.wananchi.com> In-Reply-To: <20061028121914.GA79793@ns2.wananchi.com> Date: Sat, 28 Oct 2006 17:22:00 -0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Mail 6.0.5600.16384 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.5600.16384 Cc: Subject: Re: How do I do this with IPFW2? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Oct 2006 20:22:37 -0000 What about use ipfw tables? ipfw table 1 add 62.8.64.0/19 ipfw table 1 add 196.200.32.0/20 ipfw add pipe 1 tcp from me to not table'(1)' 25 Cesar ----- Original Message ----- From: "Odhiambo WASHINGTON" To: Sent: Saturday, October 28, 2006 9:19 AM Subject: How do I do this with IPFW2? > > Here is my network definition, with two IP blocks. > > my_ip_blocks = "62.8.64.0/19 196.200.32.0/20" > > I'd like to do something like below: > > ipfw pipe 1 config bw 1024Kbit/s > ipfw add pipe 1 tcp from me to not $my_ip_blocks 25 > > > What I can't find is how to _correctly_ define my_ip_blocks > in the rule in a way ipfw2 will accept. > > > Thank you. > > -- > +======================================================================+ > |\ _,,,---,,_ | Odhiambo Washington > Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com > |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 > '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 > +======================================================================+ > > Beware of self-styled experts: an ex is a has-been, and a spurt is a > drip under pressure. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >