From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 12 01:56:51 2009 Return-Path: Delivered-To: ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF1E5106566C; Sun, 12 Apr 2009 01:56:51 +0000 (UTC) (envelope-from mi+thun@aldan.algebra.com) Received: from aldan.algebra.com (aldan.algebra.com [216.254.65.224]) by mx1.freebsd.org (Postfix) with ESMTP id A52EC8FC14; Sun, 12 Apr 2009 01:56:50 +0000 (UTC) (envelope-from mi+thun@aldan.algebra.com) Received: from aldan.algebra.com (localhost [127.0.0.1]) by aldan.algebra.com (8.14.3/8.14.3) with ESMTP id n3C1bK2A055292; Sat, 11 Apr 2009 21:37:21 -0400 (EDT) (envelope-from mi+thun@aldan.algebra.com) Message-ID: <49E145D0.4060609@aldan.algebra.com> Date: Sat, 11 Apr 2009 21:37:20 -0400 From: "Mikhail T." User-Agent: Thunderbird 2.0.0.21 (X11/20090407) MIME-Version: 1.0 To: net@FreeBSD.org, ipfw@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: natd interferes with incoming RTSP/RTP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Apr 2009 01:56:52 -0000 Hello! I'm trying to watch video via RTSP/RTP from a remote net-camera on my 7.0-STABLE/i386 from July 6th: vlc --verbose 2 rtsp://user:password@remote.example.com/nphMpeg4/g726-320x240 Things work fine, when my machine has the firewall disabled. Unfortunately, the machine is also in charge of protecting and NAT-ing for a small LAN, s keeping the ipfw down for long is not an option. Yet, with my usual firewall setup (the modified "simple" -- altered to not care, what the outside IP-address is, because it changes via DHCP), things time-out... However, if I disable just one of the rules below -- 1300, the one diverting all traffic to natd -- the video works fine... So it is not any of the other rules, that are the problem, nor is it the remote server... Why would this happen and how do I solve the problem? Thanks! Yours, -mi P.S. Output of /etc/rc.d/ipfw showing the rules, etc. net.inet.ip.fw.enable: 1 -> 0 Stopping natd. Waiting for PIDS: 62054, 62054, 62054, 62054, 62054. Starting natd. Loading /lib/libalias_cuseeme.so Loading /lib/libalias_ftp.so Loading /lib/libalias_irc.so Loading /lib/libalias_nbt.so Loading /lib/libalias_pptp.so Loading /lib/libalias_skinny.so Loading /lib/libalias_smedia.so Flushed all rules. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from 192.168.1.0/24 to any in via nve0 00500 deny ip from any to 10.0.0.0/8 via nve0 00600 deny ip from any to 172.16.0.0/12 via nve0 00700 deny ip from any to 192.168.0.0/16 via nve0 00800 deny ip from any to 0.0.0.0/8 via nve0 00900 deny ip from any to 169.254.0.0/16 via nve0 01000 deny ip from any to 192.0.2.0/24 via nve0 01100 deny ip from any to 224.0.0.0/4 via nve0 01200 deny ip from any to 240.0.0.0/4 via nve0 /01300 divert 8668 ip from any to any via nve0/ 01400 deny ip from 10.0.0.0/8 to any via nve0 01500 deny ip from 172.16.0.0/12 to any via nve0 01600 deny ip from 192.168.0.0/16 to any via nve0 01700 deny ip from 0.0.0.0/8 to any via nve0 01800 deny ip from 169.254.0.0/16 to any via nve0 01900 deny ip from 192.0.2.0/24 to any via nve0 02000 deny ip from 224.0.0.0/4 to any via nve0 02100 deny ip from 240.0.0.0/4 to any via nve0 02200 allow tcp from any to any established 02300 allow ip from any to any frag 02400 allow tcp from any to any dst-port 22 setup 02500 allow tcp from any to any dst-port 25 setup 02600 allow tcp from any to any dst-port 53 setup 02700 allow udp from any to any dst-port 53 02800 allow udp from any 53 to any 02900 allow tcp from any to any dst-port 80 setup 03000 allow tcp from any to any dst-port 2875 setup 03100 allow tcp from any to any dst-port 2885 setup 03200 allow tcp from any to any dst-port 2890 setup 03300 allow tcp from any to any dst-port 2895 setup 03400 allow tcp from any to any dst-port 2990 setup 03500 deny log logamount 100 tcp from any to any in via nve0 setup 03600 allow tcp from any to any setup 03700 allow udp from any to any dst-port 53 keep-state 03800 allow udp from any to any dst-port 123 keep-state Firewall rules loaded. net.inet.ip.fw.enable: 0 -> 1 From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 12 12:14:42 2009 Return-Path: Delivered-To: ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1ABC81065672; Sun, 12 Apr 2009 12:14:42 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) Received: from joe.mail.tiscali.it (joe.mail.tiscali.it [213.205.33.54]) by mx1.freebsd.org (Postfix) with ESMTP id CD1E78FC16; Sun, 12 Apr 2009 12:14:41 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) Received: from newluxor.wired.org (94.36.135.82) by joe.mail.tiscali.it (8.0.022) id 499F03960269EE41; Sun, 12 Apr 2009 14:03:28 +0200 Message-ID: <49E1D88F.30005@oltrelinux.com> Date: Sun, 12 Apr 2009 14:03:27 +0200 From: Paolo Pisati User-Agent: Thunderbird 2.0.0.18 (X11/20081214) MIME-Version: 1.0 To: "Mikhail T." References: <49E145D0.4060609@aldan.algebra.com> In-Reply-To: <49E145D0.4060609@aldan.algebra.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@FreeBSD.org, net@FreeBSD.org Subject: Re: natd interferes with incoming RTSP/RTP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Apr 2009 12:14:42 -0000 Mikhail T. wrote: > However, if I disable just one of the rules below -- 1300, the one > diverting all traffic to natd -- the video works fine... So it is not > any of the other rules, that are the problem, nor is it the remote > server... Why would this happen and how do I solve the problem? Thanks! > comment all the entries in /etc/libalias.conf, restart or send an HUP to natd and see if it helps. From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 12 19:25:40 2009 Return-Path: Delivered-To: ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 915991065673; Sun, 12 Apr 2009 19:25:40 +0000 (UTC) (envelope-from mi+thun@aldan.algebra.com) Received: from aldan.algebra.com (aldan.algebra.com [216.254.65.224]) by mx1.freebsd.org (Postfix) with ESMTP id 3A2B88FC28; Sun, 12 Apr 2009 19:25:40 +0000 (UTC) (envelope-from mi+thun@aldan.algebra.com) Received: from aldan.algebra.com (localhost [127.0.0.1]) by aldan.algebra.com (8.14.3/8.14.3) with ESMTP id n3CJPb8Z073216; Sun, 12 Apr 2009 15:25:39 -0400 (EDT) (envelope-from mi+thun@aldan.algebra.com) Message-ID: <49E24031.3050901@aldan.algebra.com> Date: Sun, 12 Apr 2009 15:25:37 -0400 From: "Mikhail T." User-Agent: Thunderbird 2.0.0.21 (X11/20090407) MIME-Version: 1.0 To: Paolo Pisati References: <49E145D0.4060609@aldan.algebra.com> <49E1D88F.30005@oltrelinux.com> In-Reply-To: <49E1D88F.30005@oltrelinux.com> Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit Cc: ipfw@FreeBSD.org, net@FreeBSD.org Subject: Re: natd interferes with incoming RTSP/RTP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Apr 2009 19:25:41 -0000 Paolo Pisati ΞΑΠΙΣΑΧ(ΜΑ): > Mikhail T. wrote: >> However, if I disable just one of the rules below -- 1300, the one >> diverting all traffic to natd -- the video works fine... So it is not >> any of the other rules, that are the problem, nor is it the remote >> server... Why would this happen and how do I solve the problem? Thanks! >> > comment all the entries in /etc/libalias.conf, restart or send an HUP > to natd and see if it helps. Great pointer! As a matter of fact, all I had to comment out was the /lib/libalias_smedia.so... Now, what's wrong with it? Does not disabling this plugin mean, the hosts on the LAN can't access RTSP streams? Thanks! Yours, -mi From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 12 21:36:43 2009 Return-Path: Delivered-To: ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5766710656C8; Sun, 12 Apr 2009 21:36:43 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) Received: from joe.mail.tiscali.it (joe.mail.tiscali.it [213.205.33.54]) by mx1.freebsd.org (Postfix) with ESMTP id 14FDD8FC0A; Sun, 12 Apr 2009 21:36:42 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) Received: from nanobook.wired.org (94.36.135.82) by joe.mail.tiscali.it (8.0.022) id 499F0396026DC58D; Sun, 12 Apr 2009 23:36:35 +0200 Message-ID: <49E25EE9.3040309@oltrelinux.com> Date: Sun, 12 Apr 2009 23:36:41 +0200 From: Paolo Pisati User-Agent: Thunderbird 2.0.0.17 (X11/20081116) MIME-Version: 1.0 To: "Mikhail T." References: <49E145D0.4060609@aldan.algebra.com> <49E1D88F.30005@oltrelinux.com> <49E24031.3050901@aldan.algebra.com> In-Reply-To: <49E24031.3050901@aldan.algebra.com> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@FreeBSD.org, net@FreeBSD.org Subject: Re: natd interferes with incoming RTSP/RTP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Apr 2009 21:36:44 -0000 Mikhail T. wrote: > Great pointer! As a matter of fact, all I had to comment out was the > /lib/libalias_smedia.so... > > Now, what's wrong with it? Does not disabling this plugin mean, the > hosts on the LAN can't access RTSP streams? Thanks! Yours, > try this patch: http://people.freebsd.org/~piso/alias_smedia.c.patch From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 13 11:06:55 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B51E31065673 for ; Mon, 13 Apr 2009 11:06:55 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 971C18FC16 for ; Mon, 13 Apr 2009 11:06:55 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n3DB6tmq084980 for ; Mon, 13 Apr 2009 11:06:55 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n3DB6t9N084976 for freebsd-ipfw@FreeBSD.org; Mon, 13 Apr 2009 11:06:55 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 13 Apr 2009 11:06:55 GMT Message-Id: <200904131106.n3DB6t9N084976@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 11:06:56 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 57 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 13 14:30:06 2009 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1409C1065670 for ; Mon, 13 Apr 2009 14:30:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 02E4C8FC15 for ; Mon, 13 Apr 2009 14:30:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n3DEU5SK060274 for ; Mon, 13 Apr 2009 14:30:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n3DEU56V060269; Mon, 13 Apr 2009 14:30:05 GMT (envelope-from gnats) Date: Mon, 13 Apr 2009 14:30:05 GMT Message-Id: <200904131430.n3DEU56V060269@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Ian Smith Cc: Subject: Re: kern/129103: [ipfw] IPFW check state does not work =( X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Ian Smith List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 14:30:06 -0000 The following reply was made to PR kern/129103; it has been noted by GNATS. From: Ian Smith To: bug-followup@FreeBSD.org, kes-kes@yandex.ru Cc: Subject: Re: kern/129103: [ipfw] IPFW check state does not work =( Date: Tue, 14 Apr 2009 00:01:07 +1000 I believe that I've demonstrated in especially the second of the below posts to freebsd-ipfw that no error is shown by these logs, and that despite the submitter wishing check-state and keep-state rules reported differently than they do, this PR is really more a feature request which if not closed, should be labelled as such. I admit to some remaining confusion re this data in my first post: http://lists.freebsd.org/pipermail/freebsd-ipfw/2008-November/003689.html to which Eugen replied privately with less ambiguous data, quoted within http://lists.freebsd.org/pipermail/freebsd-ipfw/2008-November/003693.html Ian From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 14 18:24:16 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25D4F1065702 for ; Tue, 14 Apr 2009 18:24:16 +0000 (UTC) (envelope-from justin@sigsegv.ca) Received: from mail-ew0-f171.google.com (mail-ew0-f171.google.com [209.85.219.171]) by mx1.freebsd.org (Postfix) with ESMTP id 891ED8FC19 for ; Tue, 14 Apr 2009 18:24:15 +0000 (UTC) (envelope-from justin@sigsegv.ca) Received: by ewy19 with SMTP id 19so2658698ewy.43 for ; Tue, 14 Apr 2009 11:24:14 -0700 (PDT) MIME-Version: 1.0 Sender: justin@sigsegv.ca Received: by 10.210.91.7 with SMTP id o7mr3205294ebb.62.1239733454221; Tue, 14 Apr 2009 11:24:14 -0700 (PDT) In-Reply-To: <5da021490904141101p372f2dc4o8fb787081a8e65a9@mail.gmail.com> References: <5da021490904141101p372f2dc4o8fb787081a8e65a9@mail.gmail.com> From: "Justin G." Date: Tue, 14 Apr 2009 11:23:59 -0700 X-Google-Sender-Auth: 98ebab2049385cc8 Message-ID: <5da021490904141123r4420c2b5uc7f6e17680bc6f94@mail.gmail.com> To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: Only seeing incrementing counters on 'count' and not 'allow' X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Apr 2009 18:24:18 -0000 On Tue, Apr 14, 2009 at 11:01 AM, Justin G. wrote: > Hello everyone, > > We've got a 6.2-RELEASE box functioning as a gateway. Today we noticed > that, when we place allow rules (we were testing at rule numbers 1-5 > to prevent any other matching rules) they weren't incrementing > properly, but when replaced with "count" rules that are identical, > they increment. The firewall is set to "OPEN" on the box and we're > using the default /etc/rc.firewall script without modifications. > > Here's an example of what's going on: > > --snip-- > [root@gateway ~]# ipfw show | head -2 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from any to = 10.10.0.75 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from 10.10.0= .75 to any > [root@gateway ~]# ping 10.10.0.75 > PING 10.10.0.75 (10.10.0.75): 56 data bytes > ^C > --- 10.10.0.75 ping statistics --- > 5 packets transmitted, 0 packets received, 100% packet loss > [root@gateway ~]# ipfw show | head -2 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from any to = 10.10.0.75 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from 10.10.0= .75 to any > [root@gateway ~]# ipfw add 1 count ip from any to 10.10.0.75 > 00001 count ip from any to 10.10.0.75 > [root@gateway ~]# ping 10.10.0.75 > PING 10.10.0.75 (10.10.0.75): 56 data bytes > ^C > --- 10.10.0.75 ping statistics --- > 4 packets transmitted, 0 packets received, 100% packet loss > [root@gateway ~]# ipfw show | head -3 > 00001 =A0 =A0 =A0 =A0 =A04 =A0 =A0 =A0 =A0 =A0336 count ip from any to 10= .10.0.75 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from any to = 10.10.0.75 > 00002 =A0 =A0 =A0 =A0 =A00 =A0 =A0 =A0 =A0 =A0 =A00 allow ip from 10.10.0= .75 to any > [root@gateway ~]# > --snip-- > > These are the firewall settings as defined in /etc/rc.conf: > --snip-- > firewall_enable=3D"YES" > firewall_logging=3D"YES" > firewall_type=3D"open" > --snip-- > > I've been puzzling over this all day and would appreciate any > direction provided :-) > > Have a great day. > Nevermind! I guess I posted too soon. The issue turned out to be that the rules were created with "allow IP from" instead of "allow ip from" -- it's interesting to me that it displays in the "ipfw show" output to be lower case. I've just verified that this also occurs on FreeBSD 7.1 -- is this intended functionality? From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 14 18:30:41 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5819E1065680 for ; Tue, 14 Apr 2009 18:30:41 +0000 (UTC) (envelope-from justin@sigsegv.ca) Received: from mail-ew0-f171.google.com (mail-ew0-f171.google.com [209.85.219.171]) by mx1.freebsd.org (Postfix) with ESMTP id EDC9D8FC15 for ; Tue, 14 Apr 2009 18:30:40 +0000 (UTC) (envelope-from justin@sigsegv.ca) Received: by ewy19 with SMTP id 19so2661714ewy.43 for ; Tue, 14 Apr 2009 11:30:40 -0700 (PDT) MIME-Version: 1.0 Sender: justin@sigsegv.ca Received: by 10.210.131.1 with SMTP id e1mr5031843ebd.3.1239732094423; Tue, 14 Apr 2009 11:01:34 -0700 (PDT) From: "Justin G." Date: Tue, 14 Apr 2009 11:01:19 -0700 X-Google-Sender-Auth: e0dfee71c87d0e55 Message-ID: <5da021490904141101p372f2dc4o8fb787081a8e65a9@mail.gmail.com> To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Only seeing incrementing counters on 'count' and not 'allow' X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Apr 2009 18:30:41 -0000 Hello everyone, We've got a 6.2-RELEASE box functioning as a gateway. Today we noticed that, when we place allow rules (we were testing at rule numbers 1-5 to prevent any other matching rules) they weren't incrementing properly, but when replaced with "count" rules that are identical, they increment. The firewall is set to "OPEN" on the box and we're using the default /etc/rc.firewall script without modifications. Here's an example of what's going on: --snip-- [root@gateway ~]# ipfw show | head -2 00002 0 0 allow ip from any to 10.10.0.75 00002 0 0 allow ip from 10.10.0.75 to any [root@gateway ~]# ping 10.10.0.75 PING 10.10.0.75 (10.10.0.75): 56 data bytes ^C --- 10.10.0.75 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss [root@gateway ~]# ipfw show | head -2 00002 0 0 allow ip from any to 10.10.0.75 00002 0 0 allow ip from 10.10.0.75 to any [root@gateway ~]# ipfw add 1 count ip from any to 10.10.0.75 00001 count ip from any to 10.10.0.75 [root@gateway ~]# ping 10.10.0.75 PING 10.10.0.75 (10.10.0.75): 56 data bytes ^C --- 10.10.0.75 ping statistics --- 4 packets transmitted, 0 packets received, 100% packet loss [root@gateway ~]# ipfw show | head -3 00001 4 336 count ip from any to 10.10.0.75 00002 0 0 allow ip from any to 10.10.0.75 00002 0 0 allow ip from 10.10.0.75 to any [root@gateway ~]# --snip-- These are the firewall settings as defined in /etc/rc.conf: --snip-- firewall_enable="YES" firewall_logging="YES" firewall_type="open" --snip-- I've been puzzling over this all day and would appreciate any direction provided :-) Have a great day. From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 14 21:38:45 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 31BA2106567C for ; Tue, 14 Apr 2009 21:38:45 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) Received: from joe.mail.tiscali.it (joe.mail.tiscali.it [213.205.33.54]) by mx1.freebsd.org (Postfix) with ESMTP id E76438FC12 for ; Tue, 14 Apr 2009 21:38:44 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) Received: from newluxor.wired.org (94.36.100.254) by joe.mail.tiscali.it (8.0.022) id 499F0396027CFF34; Tue, 14 Apr 2009 23:38:43 +0200 Message-ID: <49E50262.8060603@oltrelinux.com> Date: Tue, 14 Apr 2009 23:38:42 +0200 From: Paolo Pisati User-Agent: Thunderbird 2.0.0.18 (X11/20081214) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: [patch] mbuf aware libalias X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Apr 2009 21:38:45 -0000 http://people.freebsd.org/~piso/libalias_mbuf.diff this patch makes libalias able to handle mbuf: TOS, big MTU, much less copy-around, etcetc. I encourage people to test it, since i would like to commit it soon. Known issues: -documentation was not updated -i didn't convert the fragment handling part (GetFragment, SaveFragment&C) since i would like to axe it -all the modules still require some copy-around to work, but i'm teaching them, piece by piece, how to use mbuf bye, P.