From owner-freebsd-ipfw@freebsd.org Mon Jul 17 05:04:11 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E05B0CF6C49; Mon, 17 Jul 2017 05:04:11 +0000 (UTC) (envelope-from kulamani.sethi@gmail.com) Received: from mail-ua0-x232.google.com (mail-ua0-x232.google.com [IPv6:2607:f8b0:400c:c08::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 96AD972133; Mon, 17 Jul 2017 05:04:11 +0000 (UTC) (envelope-from kulamani.sethi@gmail.com) Received: by mail-ua0-x232.google.com with SMTP id 64so4566359uae.2; Sun, 16 Jul 2017 22:04:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dm4TND03SuXqjDD1z6pV1maT1fqCw3YB2BaHIJwoWSs=; b=kfKT1WV4ZDQB5K9GkIXschzhvcoWDjjO6jxDl2B2Ji2LePvhQQ1Y/e/wjEof7g4wwk qptkWUzmSSDiGStCzWMK9Oy/hcoa1032u1+fUvCzQsQtclE6dQ5pJX2KIe93/IaCy8+t 9U2KdgNCO3VBGhQwyGqVTNxtP3M85jGXwQDzlrCWkrC/qoy3S+vc9CIfXjq8CrboxHDj w4nRNB6k9pO1MowXpTgJ19QLCuVVrQkCTvCeoQXiqomF1ChNe4AI7vfyZ8a1aO0iszoA 20BFVwPc8p3jA/n2Jw9mfC5bvyy8YDZJK0FRFyQeTsbASMU/EK8J0anylFIGnuM2eZQZ wiFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dm4TND03SuXqjDD1z6pV1maT1fqCw3YB2BaHIJwoWSs=; b=ud4tMy1RuBR8/yamuHN4o5QE1RBu1RSCdRmzsm9uLAtPtC/3jLBFF0SZwOSWc9pV1f iXvjCP8WTKmsN526R5gHxIbNDm++3ZrkOZYgy+a1sVra8tpGaz9cxxHEtlUUv9gRnppe 0ZPQF3Rtz3ifZfsn9tI2BPffdIj5fK4TbnJMhLrfuBIK8iPYNscjM4XENP3la1Zt8bdd gYDAj7umJxwFrZwqfTrdsO24Sn012zFuo774/BHFvNn7e8H7E27FTKZo8UerVtwFsSdg CeL2aoFNqnjR/5fokLTzLMLzyco9N8eOdrvsyLYiyZqLs1Cm0EQGqRBslbrI4skHGRMx LwiA== X-Gm-Message-State: AIVw110zgf6dyF57y74LdKIMnodJJHls8jlS9MUFi68rAfXoh7wQKIrh exBicxZXXIXOdZxgIjNspbwdmGThVPgc X-Received: by 10.31.170.201 with SMTP id t192mr9514758vke.100.1500267850474; Sun, 16 Jul 2017 22:04:10 -0700 (PDT) MIME-Version: 1.0 Received: by 10.176.81.231 with HTTP; Sun, 16 Jul 2017 22:04:10 -0700 (PDT) In-Reply-To: <20170715024608.T92704@sola.nimnet.asn.au> References: <20170715024608.T92704@sola.nimnet.asn.au> From: Kulamani Sethi Date: Mon, 17 Jul 2017 10:34:10 +0530 Message-ID: Subject: Re: Unable to set rule using service name To: Ian Smith Cc: freebsd-questions@freebsd.org, freebsd-ipfw@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 05:04:12 -0000 Hi Lan, Thanks for your response! Yes, it is a placeholders. Here is exact real example of service URL. However it is a Intranet service, you may not access. service URL1: https://vwddgdptv001.corp.intranet/RISC_1/GDPLogin.aspx service URL2: https://vwddgdptv001.corp.intranet/GDPT_1/GDPLogin.aspx Note: RISC_1 and GDPT_1 both are two different service running over a common server. I want to set some deny rule over RISC_1 only. *With best Regards,* Kulamani Sethi, Bangalore, India Mob: 9686190111 On Fri, Jul 14, 2017 at 10:31 PM, Ian Smith wrote: > On Fri, 14 Jul 2017 16:43:56 +0530, Kulamani Sethi wrote: > > Hi, > > I want to set a rule for a particular service URL which running on a > remote > > server. > > I know the IP but don't know the port number where that service is > running. > > If i set rule for IP then it will applied for entire services running > over > > there. > > > > There is a option in IPFW rule we can set either port number or name, > but > > it does not accepting using name. Here is a example for my case. > > > > suppose URL for test1 service http://x.x.x.x/test1 > > URL for test2 service http://x.x.x.x/test2 > > > > I tried a rule, "ipfw add 104 deny log ip from x.x.x.x test1 to any". > Got > > error "ipfw: missing "to'' ". > > *I want to set rule for test1 where I have no idea about port.* > > *Also please help me how to know port number if any way is there.* > > RW well described (in freebsd-questions@) the relationship between port > numbers and service names in /etc/services; assuming you know the name, > that gives you the number. Are 'test1' and 'test2' real examples, or > placeholders for real service names? > > In any case, you cannot specify a port number in a rule with proto 'ip'; > when specifying port/s you need to specify 'udp' or 'tcp' protocol. > > Can you give an example of the actual packets (protocol, port number/s) > that you want to block? > > cheers, Ian > From owner-freebsd-ipfw@freebsd.org Mon Jul 17 11:21:49 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7F584D7CF0F; Mon, 17 Jul 2017 11:21:49 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C86E8818F1; Mon, 17 Jul 2017 11:21:48 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id v6HBLb3k031259; Mon, 17 Jul 2017 21:21:37 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 17 Jul 2017 21:21:37 +1000 (EST) From: Ian Smith To: Kulamani Sethi cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Unable to set rule using service name In-Reply-To: Message-ID: <20170717211435.A87076@sola.nimnet.asn.au> References: <20170715024608.T92704@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 11:21:49 -0000 On Mon, 17 Jul 2017 18:34:10 +0500, Kulamani Sethi wrote: > Hi Lan, > Thanks for your response! > > Yes, it is a placeholders. Here is exact real example of service URL. > However it is a Intranet service, you may not access. > > service URL1: https://vwddgdptv001.corp.intranet/RISC_1/GDPLogin.aspx > > service URL2: https://vwddgdptv001.corp.intranet/GDPT_1/GDPLogin.aspx > > Note: RISC_1 and GDPT_1 both are two different service running over a > common server. > > I want to set some deny rule over RISC_1 only. I'm sorry, I quite misunderstood your problem (and RW's response). You cannot use ipfw for this purpose, as it only distinguishes source and/or destination IP addresses and/or TCP|UDP port numbers on packets. You need something to distinguish between URLs, that isn't the firewall but something at a higher level, perhaps some sort of proxy? cheers, Ian > *With best Regards,* > > Kulamani Sethi, > Bangalore, India > Mob: 9686190111 > > On Fri, Jul 14, 2017 at 10:31 PM, Ian Smith wrote: > > > On Fri, 14 Jul 2017 16:43:56 +0530, Kulamani Sethi wrote: > > > Hi, > > > I want to set a rule for a particular service URL which running on a > > remote > > > server. > > > I know the IP but don't know the port number where that service is > > running. > > > If i set rule for IP then it will applied for entire services running > > over > > > there. > > > > > > There is a option in IPFW rule we can set either port number or name, > > but > > > it does not accepting using name. Here is a example for my case. > > > > > > suppose URL for test1 service http://x.x.x.x/test1 > > > URL for test2 service http://x.x.x.x/test2 > > > > > > I tried a rule, "ipfw add 104 deny log ip from x.x.x.x test1 to any". > > Got > > > error "ipfw: missing "to'' ". > > > *I want to set rule for test1 where I have no idea about port.* > > > *Also please help me how to know port number if any way is there.* > > > > RW well described (in freebsd-questions@) the relationship between port > > numbers and service names in /etc/services; assuming you know the name, > > that gives you the number. Are 'test1' and 'test2' real examples, or > > placeholders for real service names? > > > > In any case, you cannot specify a port number in a rule with proto 'ip'; > > when specifying port/s you need to specify 'udp' or 'tcp' protocol. > > > > Can you give an example of the actual packets (protocol, port number/s) > > that you want to block? > > > > cheers, Ian > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@freebsd.org Wed Jul 19 08:30:17 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9993AC0995F for ; Wed, 19 Jul 2017 08:30:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 881B37115C for ; Wed, 19 Jul 2017 08:30:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6J8UHsY098533 for ; Wed, 19 Jul 2017 08:30:17 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 220824] ipfw lookup tables are not supported in -n mode Date: Wed, 19 Jul 2017 08:30:17 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 08:30:17 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220824 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-ipfw@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.=