RE: new IPFW

From owner-freebsd-ipfw Tue Nov 23 8:10: 2 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from www.phear.nl (bofh.wish.net [212.61.32.7]) by hub.freebsd.org (Postfix) with ESMTP id C4C8415293 for ; Tue, 23 Nov 1999 08:09:50 -0800 (PST) (envelope-from robin@www.phear.nl) Received: (from robin@localhost) by www.phear.nl (8.10.0.Beta6/8.10.0.Beta6) id dANGBKX68912 for freebsd-ipfw@freebsd.org; Tue, 23 Nov 1999 17:11:20 +0100 (CET) Date: Tue, 23 Nov 1999 17:11:19 +0100 From: Robin Gruyters To: freebsd-ipfw@freebsd.org Subject: IPFW and forward Message-ID: <19991123171119.N49519@bofh.wish.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i X-Operating-System: FreeBSD, i386 X-PGP-Fingerprint: FD 2B 93 E9 04 20 5D F7 85 C2 F8 9E 05 4E 51 DD X-Url: http://www.phear.nl Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG hi, How do I set a forward: ipfw add fwd : tcp from any to Something like that?!?! Please, help me. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 23 8:22: 7 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from epic.purefusion.com (core.fedz.org [216.94.188.115]) by hub.freebsd.org (Postfix) with ESMTP id 9F72114A1A for ; Tue, 23 Nov 1999 08:21:29 -0800 (PST) (envelope-from relapz@purefusion.com) Received: from localhost (relapz@localhost) by epic.purefusion.com (8.9.3/8.9.3) with ESMTP id LAA67798; Tue, 23 Nov 1999 11:20:52 -0500 (EST) Date: Tue, 23 Nov 1999 11:20:51 -0500 (EST) From: relapz To: Robin Gruyters Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW and forward In-Reply-To: <19991123171119.N49519@bofh.wish.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG actually, the fwd command is used for forward routing traffic... sorta like: ipfw add ### fwd 10.0.0.1 all from 10.0.1.0/24 to any it will forward traffic to 10.0.0.1 (another router perhaps) when the traffic comes from 10.0.1.0/24. What you are probably trying to due actually uses the tee or divert command. You can also do it with natd. DJM:> On Tue, 23 Nov 1999, Robin Gruyters wrote: > hi, > > > How do I set a forward: > > ipfw add fwd : tcp from any to > > Something like that?!?! Please, help me. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 23 9:12:35 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 7D4EC14C05 for ; Tue, 23 Nov 1999 09:12:10 -0800 (PST) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id KAA43412; Tue, 23 Nov 1999 10:11:56 -0700 (MST) Date: Tue, 23 Nov 1999 10:11:56 -0700 (MST) From: Nick Rogness To: Robin Gruyters Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW and forward In-Reply-To: <19991123171119.N49519@bofh.wish.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 23 Nov 1999, Robin Gruyters wrote: > ipfw add fwd : tcp from any to address> > > Something like that?!?! Please, help me. > You might want to use divert for this. Something like this: ipfw add divert natd ip from any to any via outside_interface Then run natd: /sbin/natd -port 8668 -redirect_port tcp external:port internal:port There is some other information that nat will need but you can add that from the natd man page. ******************************************************** Nick Rogness File not found... System Administrator Should I fake it (Y/N)? RapidNet, INC ******************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 23 9:15:53 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from www.phear.nl (bofh.wish.net [212.61.32.7]) by hub.freebsd.org (Postfix) with ESMTP id 243E314F75 for ; Tue, 23 Nov 1999 09:15:30 -0800 (PST) (envelope-from robin@www.phear.nl) Received: (from robin@localhost) by www.phear.nl (8.10.0.Beta6/8.10.0.Beta6) id dANHHpb69705; Tue, 23 Nov 1999 18:17:51 +0100 (CET) Date: Tue, 23 Nov 1999 18:17:51 +0100 From: Robin Gruyters To: Nick Rogness Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW and forward Message-ID: <19991123181751.R49519@bofh.wish.net> References: <19991123171119.N49519@bofh.wish.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from nick@rapidnet.com on Tue, Nov 23, 1999 at 10:11:56AM -0700 X-Operating-System: FreeBSD, i386 X-PGP-Fingerprint: FD 2B 93 E9 04 20 5D F7 85 C2 F8 9E 05 4E 51 DD X-Url: http://www.phear.nl Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Nov 23, 1999 at 10:11:56AM -0700, Nick Rogness wrote: > On Tue, 23 Nov 1999, Robin Gruyters wrote: > > > ipfw add fwd : tcp from any to > address> > > > > Something like that?!?! Please, help me. > > > > You might want to use divert for this. Something like this: > > ipfw add divert natd ip from any to any via outside_interface > > Then run natd: > > /sbin/natd -port 8668 -redirect_port tcp external:port internal:port > > There is some other information that nat will need but you can add that > from the natd man page. > Well what I want to do is, contact an external address trough the firewall and forward it to an internal address. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 23 9:22: 9 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from pau-amma.whistle.com (pau-amma.whistle.com [207.76.205.64]) by hub.freebsd.org (Postfix) with ESMTP id BE8B915363 for ; Tue, 23 Nov 1999 09:21:58 -0800 (PST) (envelope-from dhw@whistle.com) Received: (from dhw@localhost) by pau-amma.whistle.com (8.9.2/8.9.2) id JAA20663; Tue, 23 Nov 1999 09:21:31 -0800 (PST) Date: Tue, 23 Nov 1999 09:21:31 -0800 (PST) From: David Wolfskill Message-Id: <199911231721.JAA20663@pau-amma.whistle.com> To: nick@rapidnet.com, robin@wish.net Subject: Re: IPFW and forward Cc: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <19991123181751.R49519@bofh.wish.net> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >Date: Tue, 23 Nov 1999 18:17:51 +0100 >From: Robin Gruyters >On Tue, Nov 23, 1999 at 10:11:56AM -0700, Nick Rogness wrote: >> ... >> You might want to use divert for this. Something like this: >> ipfw add divert natd ip from any to any via outside_interface >> ... >> There is some other information that nat will need but you can add that >> from the natd man page. >Well what I want to do is, contact an external address trough the firewall and >forward it to an internal address. If I understand you correctly -- that is, that you want to be able to have some host on the Internet to be able to connect to the externally-visible address on the firewall, and have that connection (transparently) made to an internal machine, depending on the destination port (and possibly upon the source IP address, if you like), then yes: Nick's advice was a technique that I have used to accomplish precisely that. Cheers, david -- David Wolfskill dhw@whistle.com UNIX System Administrator voice: (650) 577-7158 pager: (888) 347-0197 FAX: (650) 372-5915 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 23 9:23:55 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from usui.sc.newnet.co.uk (usui.sc.newnet.co.uk [212.87.80.10]) by hub.freebsd.org (Postfix) with ESMTP id F302E150FE for ; Tue, 23 Nov 1999 09:23:37 -0800 (PST) (envelope-from peter@newnet.co.uk) Received: from newnet.co.uk (muktananda.sys.newnet.co.uk [212.87.87.37]) by usui.sc.newnet.co.uk (8.9.3/8.9.3) with ESMTP id RAA23412; Tue, 23 Nov 1999 17:22:30 GMT Message-ID: <383ACD4E.67453D76@newnet.co.uk> Date: Tue, 23 Nov 1999 17:22:22 +0000 From: Peter Coates X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Robin Gruyters Cc: Nick Rogness , freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW and forward References: <19991123171119.N49519@bofh.wish.net> <19991123181751.R49519@bofh.wish.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Sound like you just need to enable packet forwarding if you wish to enable routing. Try this: sysctl -w net.inet.ip.forwarding=1 Peter, NewNet Limited Robin Gruyters wrote: > > On Tue, Nov 23, 1999 at 10:11:56AM -0700, Nick Rogness wrote: > > On Tue, 23 Nov 1999, Robin Gruyters wrote: > > > > > ipfw add fwd : tcp from any to > > address> > > > > > > Something like that?!?! Please, help me. > > > > > > > You might want to use divert for this. Something like this: > > > > ipfw add divert natd ip from any to any via outside_interface > > > > Then run natd: > > > > /sbin/natd -port 8668 -redirect_port tcp external:port internal:port > > > > There is some other information that nat will need but you can add that > > from the natd man page. > > > > Well what I want to do is, contact an external address trough the firewall and > forward it to an internal address. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 23 11:54:59 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (Postfix) with ESMTP id 7EF9B14A0D for ; Tue, 23 Nov 1999 11:54:56 -0800 (PST) (envelope-from julian@whistle.com) Received: from home.elischer.org (home.elischer.org [207.76.204.203]) by alpo.whistle.com (8.9.1a/8.9.1) with ESMTP id LAA92592; Tue, 23 Nov 1999 11:53:57 -0800 (PST) Date: Tue, 23 Nov 1999 11:53:56 -0800 (PST) From: Julian Elischer X-Sender: julian@home.elischer.org To: Robin Gruyters Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW and forward In-Reply-To: <19991123171119.N49519@bofh.wish.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG you cannot forwar dto an external port.. (it will allow it but it won't work.. remember that the packet is UNALTERED so when it gets to the machine, unless thh far machine thinks it should have it, it will say "huh? this isn't for me" and pass it back. you need to either: 1/ have an extra loopback (lo1) allocated on that machine with that address, or 2/ have ipfw running the same rule on that machine, to provide 'capture'. If you want to actually alter the packet, I believe NATD may be you friend. julian On Tue, 23 Nov 1999, Robin Gruyters wrote: > hi, > > > How do I set a forward: > > ipfw add fwd : tcp from any to > > Something like that?!?! Please, help me. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 23 13:23:47 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from backrosh.inter.net.il (backrosh.inter.net.il [192.116.196.9]) by hub.freebsd.org (Postfix) with ESMTP id A921A14E73 for ; Tue, 23 Nov 1999 13:23:34 -0800 (PST) (envelope-from aeg@iname.com) Received: from AEG (Haifa-12-218.access.net.il [213.8.12.218]) by backrosh.inter.net.il (8.9.3/8.9.3) with SMTP id XAA00872 for ; Tue, 23 Nov 1999 23:23:07 +0200 (IST) Message-ID: <002e01bf365d$f58fe590$da0c08d5@AEG> From: "Alexandr Gribenko" To: References: Subject: Re: IPFW and forward Date: Wed, 24 Nov 1999 11:26:12 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.5600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.5600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG If we started with it... I have common problem with some of my clients... Let's say I have an inside network of 10.10.10.0/255 and outside of 192.117.193.192/24 with CISCO at 192.117.193.193 I have firewall with natd diverting all the packets at outside interface. I use 192.117.193.194 and 10.10.10.1 for my BSD network interfaces What do I whant to accomplish is to establish a server in inside network at, say 10.10.10.2 that will get all the traffic for lets say 192.117.193.195 I have packets for this IP routed from CISCO(192.117.193.193) to 192.117.193.194 which is FreeBSD with ipfw I am talking about. The question is HOW???? Is if fwd or divert. What the command will be??? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 23 13:37:51 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id A074F153BA for ; Tue, 23 Nov 1999 13:37:45 -0800 (PST) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id IAA65129; Wed, 24 Nov 1999 08:35:11 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id IAA05162; Wed, 24 Nov 1999 08:36:56 +1100 (EST) Message-Id: <199911232136.IAA05162@tungsten.austclear.com.au> X-Mailer: exmh version 2.0.1 12/23/97 To: "Alexandr Gribenko" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW and forward In-Reply-To: Your message of "Wed, 24 Nov 1999 11:26:12 +0200." <002e01bf365d$f58fe590$da0c08d5@AEG> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 24 Nov 1999 08:36:55 +1100 From: Tony Landells Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > I have common problem with some of my clients... > Let's say I have an inside network of 10.10.10.0/255 and outside of > 192.117.193.192/24 with CISCO at 192.117.193.193 > I have firewall with natd diverting all the packets at outside interface. > I use 192.117.193.194 and 10.10.10.1 for my BSD network interfaces > What do I whant to accomplish is to establish a server in inside network at, > say 10.10.10.2 that will get all the traffic for lets say 192.117.193.195 > I have packets for this IP routed from CISCO(192.117.193.193) to > 192.117.193.194 which is FreeBSD with ipfw I am talking about. > The question is HOW???? Is if fwd or divert. What the command will be??? This is divert with natd--use something like: -redirect_address 10.10.10.2 192.117.193.195 which will set up a "static" translation between those two addresses. Personally, if I'm using an internal system I'm more likely to restrict things to ONLY one or two services, so instead I'd have something like: -redirect_port tcp 10.10.10.2:80 192.117.193.195:80 if the internal system was running a Web server. Why do I prefer this? It means that an attack can only be launched on that system using HTTP (which is probably bad enough) even if I have a gaping hole in the rest of my ipfw rules--the packets have nowhere to go. If I just use "redirect_address", anything that gets through my ipfw rules will get to the internal system. Cheers, Tony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 23 17:20:41 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns.itga.com.au (ns.itga.com.au [192.83.119.129]) by hub.freebsd.org (Postfix) with ESMTP id 3D290154CE for ; Tue, 23 Nov 1999 17:20:27 -0800 (PST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns.itga.com.au (8.9.3/8.9.3) with ESMTP id MAA45323 for ; Wed, 24 Nov 1999 12:19:57 +1100 (EST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id MAA22897; Wed, 24 Nov 1999 12:19:56 +1100 (EST) Message-Id: <199911240119.MAA22897@lightning.itga.com.au> X-Mailer: exmh version 2.0.1 12/23/97 From: Gregory Bond To: freebsd-ipfw@FreeBSD.ORG Subject: NATD and IP Aliases Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 24 Nov 1999 12:19:56 +1100 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG If we are running natd on our external ethernet interface, and that ether interface has 2 IP addresses bound to it (on two different Class C nets), which IP will natd use for the outgoing packet? For packets originated on the server, the system is (I think!) clever enough to use as the local-address the IP that is on the same network as the first-hop gateway for that packet. Is natd clever enough to do the same thing? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 23 22:34: 1 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from green.dyndns.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 230F615516; Tue, 23 Nov 1999 22:33:45 -0800 (PST) (envelope-from green@FreeBSD.org) Received: from localhost (green@localhost [127.0.0.1]) by green.dyndns.org (8.9.3/8.9.3) with ESMTP id BAA43025; Wed, 24 Nov 1999 01:33:04 -0500 (EST) (envelope-from green@FreeBSD.org) Date: Wed, 24 Nov 1999 01:33:04 -0500 (EST) From: Brian Fundakowski Feldman X-Sender: green@green.dyndns.org To: ipfw@FreeBSD.org Cc: arch@FreeBSD.org Subject: new IPFW Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I've finally sat myself down to take the first step in getting the new IPFW done. I'll start by listing some of the different ideas I've had, CC'd to arch@ so that I pick up the audience of people I need. First of all, what was done right about the old IPFW? The basic architecture is nice; a chain of rules is quite efficient, but can be improved upon with basic optimization techniques, which should be done. The syntax is pretty nice, and IPFW is really very fast. It is called by a hook so was easy to become a KLD. Now, the new IPFW could directly replace the old IPFW given that 1) it uses the same entry point, and 2) uses the same API. The API for calling IPFW per-packet itself is not bad. There are many things to improve upon. The old IPFW is very static and limited in certain regards. It uses a monolithic "rule" struct to store everything related to that rule, which is obviously not the right thing to do. There are arbitrary limits on rules because of this, and it makes the API pretty sickening. So what can be done better than the old IPFW? First of all, it should be easy to retrieve a rule and change it. I should be able get, for instance, rule 1000 (in old IPFW format, of course) 1000 deny all from 127.0.0.0/24 to any and replace it with 1000 deny all from 127.0.0.0/8 to any. This would require a retrieval, deletion, and addition under the current IPFW user API. Instead, there should be an API call that woul effectively say "change rule 1000's destination address netmask to /8". I also want to be able to make things nicer to do. One, a certain amount of state should be able to be stored, allowing stateful operations in IPFW where previously there were none. Commands should be more dynamic; all the old rule actions should be supported (pass, deny, fwd, divert, pipe, et al), whereas new ones should be easy to add by PIM (Pluggable IPFW Modules? =). Perhaps it would be nice to have a real "branch" action instead of using more hackish gotos, which can be terminated with deny all from any to any (which should be a synonym for "end"; you should be able to write procedures in IPFW). All actions except for deny should have a "continue" option, where the packet matching would both match that rule and follow its action, but also pass on to the next rule. This would obsolete the never-working- anyway "tee" action, and make things much easier, if thought about properly. To cut down on number of rules (that basically go pass such-and- such, deny other-such) with redundant information, which would of course take up less memory and processor time, each "match" type could be negated, such as, with a default-to-pass rule set, "deny [implicit all] ( src [alt:from] 127.0.0.0/8 or dest [alt:to] 127.0.0.8 ) and not interface lo0". This would allow actual logic in rules, albeit with slightly more complexity in the IPFW implementation in the kernel. This would be a huge gain for the administrator of the firewall, in that {,s}he could use a more natural programming syntax, rather than the current, simplistic, absolutely non-programmable (but klugeable) IPFW. For the matching rules themselves, they should be dynamic and possibly object-oriented. I envision something like this: struct ipfw_rule { int rule_number; /* maybe name alias, too? :) */ u_int32_t rule_options; /* for what doesn't fit in the action */ rule_action *action; /* action is an object and contains ancillary data */ SLIST_HEAD(, match_type) matches; /* must match all of these in the null-terminated list to match the rule */ struct irstats { u_int64_t matches; etc... } stats; }; The match_type could consist of something like: SLIST_FOREACH(matchrule, rule->matches, rule_list_entry) { if (!matchrule->dispatch(matchrule, packet, other info)) return 0; } passed all matches. action.... Where matcher_dispatch would read the match object, which would be inherited from the base type: struct base_matchrule { match_func_t *dispatch; }; and other types would be something like { struct address_matchrule { match_func_t *dispatch; u_int32_t flags; /* source/dest, IS or NOT, etc. */ struct sockaddr_maxsize addr; /* support in and in6 */ }; And this would be the object-oriented architecture part. I'm going to wrap this up since I'm up quite late (well, only 1:30, but I'm still a growing person...), and I don't want to start to get too incoherent. Thank you for your time and attention with my IPFW ideas, and please send comments and ideas to me; heck, I'd love to start a long discussion about this, so we can flesh everything out :) -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 24 2:28:58 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 8AD1E150BF; Wed, 24 Nov 1999 02:28:46 -0800 (PST) (envelope-from rgrimes@gndrsh.dnsmgr.net) Received: (from rgrimes@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id CAA45230; Wed, 24 Nov 1999 02:26:32 -0800 (PST) (envelope-from rgrimes) From: "Rodney W. Grimes" Message-Id: <199911241026.CAA45230@gndrsh.dnsmgr.net> Subject: Re: new IPFW In-Reply-To: from Brian Fundakowski Feldman at "Nov 24, 1999 01:33:04 am" To: green@FreeBSD.ORG (Brian Fundakowski Feldman) Date: Wed, 24 Nov 1999 02:26:29 -0800 (PST) Cc: ipfw@FreeBSD.ORG, arch@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > I've finally sat myself down to take the first step in getting the new > IPFW done. I'll start by listing some of the different ideas I've had, ... [and lots more good stuff cut to make this short and to the point]... > And this would be the object-oriented architecture part. > > I'm going to wrap this up since I'm up quite late (well, only 1:30, but > I'm still a growing person...), and I don't want to start to get too > incoherent. Thank you for your time and attention with my IPFW ideas, > and please send comments and ideas to me; heck, I'd love to start > a long discussion about this, so we can flesh everything out :) Have you looked at or though about using the bpf routines in the kernel? bpf match rules are very powerful, compile to some pretty fast code, and the code is already written, and it knows about a lot more than just IP. After all, they are probably the ``oldest'' set of filter routines we have, they have just never been reused to do firewall type stuff with. The fcode engine even has a jump, though all jumps must be forward in the fcode, but this is no more restrictive than the current firewall rule ``skipto'' operation. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 24 2:50:17 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (Postfix) with ESMTP id 291FB150B8; Wed, 24 Nov 1999 02:50:11 -0800 (PST) (envelope-from julian@whistle.com) Received: from current1.whiste.com (current1.whistle.com [207.76.205.22]) by alpo.whistle.com (8.9.1a/8.9.1) with ESMTP id CAA83363; Wed, 24 Nov 1999 02:49:48 -0800 (PST) Date: Wed, 24 Nov 1999 02:49:48 -0800 (PST) From: Julian Elischer To: "Rodney W. Grimes" Cc: Brian Fundakowski Feldman , ipfw@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: new IPFW In-Reply-To: <199911241026.CAA45230@gndrsh.dnsmgr.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 24 Nov 1999, Rodney W. Grimes wrote: > > I've finally sat myself down to take the first step in getting the new > > IPFW done. I'll start by listing some of the different ideas I've had, > ... [and lots more good stuff cut to make this short and to the point]... > > > And this would be the object-oriented architecture part. > > > > I'm going to wrap this up since I'm up quite late (well, only 1:30, but > > I'm still a growing person...), and I don't want to start to get too > > incoherent. Thank you for your time and attention with my IPFW ideas, > > and please send comments and ideas to me; heck, I'd love to start > > a long discussion about this, so we can flesh everything out :) > > Have you looked at or though about using the bpf routines in the > kernel? bpf match rules are very powerful, compile to some pretty > fast code, and the code is already written, and it knows about a lot > more than just IP. > > After all, they are probably the ``oldest'' set of filter routines > we have, they have just never been reused to do firewall type stuff > with. The fcode engine even has a jump, though all jumps must be > forward in the fcode, but this is no more restrictive than the current > firewall rule ``skipto'' operation. iThen there is a reference that Garret Wollman pointed out some time ago. a package at MIT called 'DPF' Very cool.. incorporated into the Exokernel. Unfortunatly it uses an in-kernel incremental machine instruction generator so it wouldn't be very portable, however it is apparently blazingly fast. I envision a combination of the structure of ipfw with the compiled speed of DPF. in other th packet falls through an IPFW branching structure until it hits a DPF filter which produces an outcome. > > -- > Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 24 3:54:52 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from www.ifrance.com (www.ifrance.com [209.67.249.134]) by hub.freebsd.org (Postfix) with SMTP id F3F8A15120 for ; Wed, 24 Nov 1999 03:54:45 -0800 (PST) (envelope-from brunoc@ifrance.com) Received: from 212.124.1.84 [212.124.1.84] by www.ifrance.com; Wed, 24 Nov 1999 11:45:33 GMT Message-ID: <003201bf3673$23b24d90$1ec809c0@motte.alpes-net.fr> From: "Christian Bruno" To: Subject: firewall punching disabled in natd/libalias ? Date: Wed, 24 Nov 1999 12:57:51 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG hello, i'm adding a functionality (H323) in libalias(FreeBSD 3.0 Release), and i need to use "Firewall Punching". As far as i know, i just have to call fwpunchhole( ) to add dynamically (and temporary) a rule to the firewall rule list ( it will be a rule like : allow tcp from sourceip to destip #portnumer SETUP ) My problem is that all the code involved in fw punch seems to be "de-activated". A call to SetPacketAliasMode() (from natd.c) can activate this function but it seems there is no command line option in NATD to do so. i need to modify natd.c and add a new option ? will this code (fwpunchhole) be removed from the freebsd natd ? any help greatly appreciated ! Regards, Christian brunoc@ifrance.com ps : as i'm new to freebsd mailing lists, please reply to my email if this message is posted in the wrong list ______________________________________________________________________ Message envoye depuis iFrance >> http://www.ifrance.com Gratuit >> Hebergement (50 Mo)/Vos emails (POP&HTML,20 Mo) Votre agenda online gratuit >> http://agenda.ifrance.com NOUVEAU : Faxez gratuitement ! >> http://fax.ifrance.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 24 9:26:11 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from inago.swcp.com (inago.swcp.com [198.59.115.17]) by hub.freebsd.org (Postfix) with ESMTP id 21D9414BF2; Wed, 24 Nov 1999 09:26:03 -0800 (PST) (envelope-from synk@swcp.com) Received: (from synk@localhost) by inago.swcp.com (8.8.7/8.8.7) id KAA14176; Wed, 24 Nov 1999 10:25:06 -0700 (MST) Date: Wed, 24 Nov 1999 10:25:06 -0700 From: Brendan Conoboy To: Brian Fundakowski Feldman Cc: ipfw@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: new IPFW Message-ID: <19991124102506.A14069@inago.swcp.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: ; from Brian Fundakowski Feldman on Wed, Nov 24, 1999 at 01:33:04AM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Nov 24, 1999 at 01:33:04AM -0500, Brian Fundakowski Feldman wrote: > I've finally sat myself down to take the first step in getting the new > IPFW done. I'll start by listing some of the different ideas I've had, > CC'd to arch@ so that I pick up the audience of people I need. Perhaps everybody but me knows the answer to this one: Why not build off of ipfilter? I've chosen ipf over ipfw for the last couple of years because ipf already had state, nat proxies, route intervention, etc. Since 3.x freebsd has carried support for both. Does ipf have something really ugly under the hood that people don't want to work with? -Brendan (synk@swcp.com) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 24 13:51:14 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id 1194515487; Wed, 24 Nov 1999 13:51:06 -0800 (PST) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id IAA69731; Thu, 25 Nov 1999 08:46:19 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id IAA25984; Thu, 25 Nov 1999 08:48:11 +1100 (EST) Message-Id: <199911242148.IAA25984@tungsten.austclear.com.au> X-Mailer: exmh version 2.0.1 12/23/97 To: ipfw@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: new IPFW Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 25 Nov 1999 08:48:10 +1100 From: Tony Landells Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG One of the things that would be a minor prettiness improvement (hmm, I wonder if I should TM that?)... At the moment I have rule numbers on every rule in rc.firewall because I want to start all my "groups" of rules at a boundary (like multiples of 10000 for "major" groups, and multiples of 1000 for "minor" groups). I didn't want to do it with numbers on every rule, but there didn't seem to be many alternatives: if I just put "$ipfw add 10000 ..." for each rule in the group, then they all get the exact same number if I use "skipto" to set line numbers every so often then I get crap I don't want in the rulesets if I put the line number on the first line in each group, then I have to actually pay attention when I'm debugging a new ruleset as to where I've commented out lines, or inserted/deleted the first line in a group--that's way too hard ;-) I'd be much happier with something in ipfw that just marked the next line number to be used, preferably in a way that I could get it to move to the next "grouping"--like "set the next rule number to the next multiple of 1000". Such a thing may fall out of going to a more procedural layout, because you could have: rules rfc1918 { # filter out and log any RFC 1918 addresses add deny log ... add deny log ... }; and then say something like "add rfc1918 ..." or whatever. Of course, I guess I could achieve the same effect by using a shell variable and a few functions in rc.firewall... Tony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 24 13:53:20 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id 5279B152EE; Wed, 24 Nov 1999 13:53:15 -0800 (PST) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id IAA69742; Thu, 25 Nov 1999 08:50:35 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id IAA26077; Thu, 25 Nov 1999 08:52:28 +1100 (EST) Message-Id: <199911242152.IAA26077@tungsten.austclear.com.au> X-Mailer: exmh version 2.0.1 12/23/97 To: ipfw@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: new IPFW In-Reply-To: Your message of "Wed, 24 Nov 1999 02:26:29 -0800." <199911241026.CAA45230@gndrsh.dnsmgr.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 25 Nov 1999 08:52:28 +1100 From: Tony Landells Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [ using BPF for ipfw ] One concern I would have with that is that there are a lot of tools built on BPF that I would prefer to not be able to run on the firewall. Well, to be more accurate, I'd love to be able to run them on the firewall, but I don't want attackers to have access to them, and the safest option is to not even have support in the kernel for them (I can always plug in a separate sniffer if I really need it). Cheers, Tony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 24 13:56:40 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 608) id F3A5C1545C; Wed, 24 Nov 1999 13:56:38 -0800 (PST) From: "Jonathan M. Bresler" To: ahl@austclear.com.au Cc: ipfw@FreeBSD.ORG In-reply-to: <199911242152.IAA26077@tungsten.austclear.com.au> (message from Tony Landells on Thu, 25 Nov 1999 08:52:28 +1100) Subject: Re: new IPFW Message-Id: <19991124215638.F3A5C1545C@hub.freebsd.org> Date: Wed, 24 Nov 1999 13:56:38 -0800 (PST) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG please dont send the same email to freebsd-arch and freebsd-isp. it belongs in one to the other, not both. thanks jmb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 24 14: 9: 8 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 65AAB152D5; Wed, 24 Nov 1999 14:09:03 -0800 (PST) (envelope-from rgrimes@gndrsh.dnsmgr.net) Received: (from rgrimes@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id OAA46490; Wed, 24 Nov 1999 14:08:47 -0800 (PST) (envelope-from rgrimes) From: "Rodney W. Grimes" Message-Id: <199911242208.OAA46490@gndrsh.dnsmgr.net> Subject: Re: new IPFW In-Reply-To: <199911242152.IAA26077@tungsten.austclear.com.au> from Tony Landells at "Nov 25, 1999 08:52:28 am" To: ahl@austclear.com.au (Tony Landells) Date: Wed, 24 Nov 1999 14:08:47 -0800 (PST) Cc: ipfw@FreeBSD.ORG, arch@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > [ using BPF for ipfw ] > > One concern I would have with that is that there are a lot of tools > built on BPF that I would prefer to not be able to run on the firewall. > > Well, to be more accurate, I'd love to be able to run them on the > firewall, but I don't want attackers to have access to them, and > the safest option is to not even have support in the kernel for them > (I can always plug in a separate sniffer if I really need it). Non-issue. The fcode engine is in net/bpf_filter.c, the bpf tapping routings that actually get packets to/from the cards is in net/bpf.c. I din't mean to imply that the filtering should be done using the /dev/bpf interface, just that the engine code for filtering could be reused. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 24 14:32:58 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by hub.freebsd.org (Postfix) with ESMTP id 6C4A714FD9; Wed, 24 Nov 1999 14:32:54 -0800 (PST) (envelope-from louie@whizzo.transsys.com) Received: from whizzo.transsys.com (localhost.transsys.com [127.0.0.1]) by whizzo.transsys.com (8.9.3/8.9.1) with ESMTP id RAA21036; Wed, 24 Nov 1999 17:31:30 -0500 (EST) (envelope-from louie@whizzo.transsys.com) Message-Id: <199911242231.RAA21036@whizzo.transsys.com> X-Mailer: exmh version 2.1.1 10/15/1999 To: "Rodney W. Grimes" Cc: ahl@austclear.com.au (Tony Landells), ipfw@FreeBSD.ORG, arch@FreeBSD.ORG From: "Louis A. Mamakos" Subject: Re: new IPFW References: <199911242208.OAA46490@gndrsh.dnsmgr.net> In-reply-to: Your message of "Wed, 24 Nov 1999 14:08:47 PST." <199911242208.OAA46490@gndrsh.dnsmgr.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 24 Nov 1999 17:31:30 -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > [ using BPF for ipfw ] > > > > One concern I would have with that is that there are a lot of tools > > built on BPF that I would prefer to not be able to run on the firewall. > > > > Well, to be more accurate, I'd love to be able to run them on the > > firewall, but I don't want attackers to have access to them, and > > the safest option is to not even have support in the kernel for them > > (I can always plug in a separate sniffer if I really need it). > > Non-issue. The fcode engine is in net/bpf_filter.c, the bpf tapping > routings that actually get packets to/from the cards is in net/bpf.c. > > I din't mean to imply that the filtering should be done using the /dev/bpf > interface, just that the engine code for filtering could be reused. I've actually used the BFP engine for just such an application. It was on another platform (NeXTSTEP), and it was sorta a netgraph-like system, but all in user space. I used a BPF-based engine for such things as "firewall" type filtering, as well as classifing traffic for dial-on-demand and idle-timeout reset. It worked quite well. The one extension which would be valuable is more an extension of the BPF expression compiler rather than the engine itself; if would be valuable to be able to return a value from the BPF-engine program so that it could be acted on. The engine itself has this capability, but the existing tcpdump intended expression compiler doesn't currently have syntax to support it. louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 24 14:43:43 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from chai.torrentnet.com (chai.torrentnet.com [198.78.51.73]) by hub.freebsd.org (Postfix) with ESMTP id 2EB5F14BDA; Wed, 24 Nov 1999 14:43:38 -0800 (PST) (envelope-from bakul@torrentnet.com) Received: from chai.torrentnet.com (localhost [127.0.0.1]) by chai.torrentnet.com (8.8.8/8.8.5) with ESMTP id RAA13782; Wed, 24 Nov 1999 17:42:38 -0500 (EST) Message-Id: <199911242242.RAA13782@chai.torrentnet.com> To: "Louis A. Mamakos" Cc: "Rodney W. Grimes" , ahl@austclear.com.au (Tony Landells), ipfw@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: new IPFW In-reply-to: Your message of "Wed, 24 Nov 1999 17:31:30 EST." <199911242231.RAA21036@whizzo.transsys.com> Date: Wed, 24 Nov 1999 17:42:38 -0500 From: Bakul Shah Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > It worked quite well. The one extension which would be valuable is more > an extension of the BPF expression compiler rather than the engine itself; > if would be valuable to be able to return a value from the BPF-engine > program so that it could be acted on. The engine itself has this capability, > but the existing tcpdump intended expression compiler doesn't currently > have syntax to support it. What would be neat is an extensible filter language that maps symbolic names to a filter expression on packet fields as well as a printer language that allows specifying how things get printed. Right now you have to extend tcpdump's print routines for the latter. Also, there is no good reason why the print routines shouldn't be in a library like libpcap so that tcpdump is just a main program relying almost completely on a library. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 24 14:52:31 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (Postfix) with ESMTP id 4B5051552D; Wed, 24 Nov 1999 14:52:19 -0800 (PST) (envelope-from julian@whistle.com) Received: from current1.whiste.com (current1.whistle.com [207.76.205.22]) by alpo.whistle.com (8.9.1a/8.9.1) with ESMTP id OAA53709; Wed, 24 Nov 1999 14:49:34 -0800 (PST) Date: Wed, 24 Nov 1999 14:49:33 -0800 (PST) From: Julian Elischer To: "Louis A. Mamakos" Cc: "Rodney W. Grimes" , Tony Landells , ipfw@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: new IPFW In-Reply-To: <199911242231.RAA21036@whizzo.transsys.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG We are playing with the idea of a 'bpf' node in netgraph. ALso a DPF node and a firewall node. We are also playing with the idea of puting the telnet daemon in a node too :-) Louis, have you looked at the pppoe node? (as you are the author of the RFC I'd like your comments) Is uunet implementing pppoe yet? I notice all our dsl line s are still 'routed'. (can you select which method to use with each custommer on a line by line basis? On Wed, 24 Nov 1999, Louis A. Mamakos wrote: > > > [ using BPF for ipfw ] > > > > > > One concern I would have with that is that there are a lot of tools > > > built on BPF that I would prefer to not be able to run on the firewall. > > > > > > Well, to be more accurate, I'd love to be able to run them on the > > > firewall, but I don't want attackers to have access to them, and > > > the safest option is to not even have support in the kernel for them > > > (I can always plug in a separate sniffer if I really need it). > > > > Non-issue. The fcode engine is in net/bpf_filter.c, the bpf tapping > > routings that actually get packets to/from the cards is in net/bpf.c. > > > > I din't mean to imply that the filtering should be done using the /dev/bpf > > interface, just that the engine code for filtering could be reused. > > I've actually used the BFP engine for just such an application. It was > on another platform (NeXTSTEP), and it was sorta a netgraph-like system, > but all in user space. I used a BPF-based engine for such things as > "firewall" type filtering, as well as classifing traffic for dial-on-demand > and idle-timeout reset. > > It worked quite well. The one extension which would be valuable is more > an extension of the BPF expression compiler rather than the engine itself; > if would be valuable to be able to return a value from the BPF-engine > program so that it could be acted on. The engine itself has this capability, > but the existing tcpdump intended expression compiler doesn't currently > have syntax to support it. > > louie > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 24 14:56:33 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (Postfix) with ESMTP id BA60F154D2; Wed, 24 Nov 1999 14:56:30 -0800 (PST) (envelope-from julian@whistle.com) Received: from current1.whiste.com (current1.whistle.com [207.76.205.22]) by alpo.whistle.com (8.9.1a/8.9.1) with ESMTP id OAA54155; Wed, 24 Nov 1999 14:55:34 -0800 (PST) Date: Wed, 24 Nov 1999 14:55:34 -0800 (PST) From: Julian Elischer To: Bakul Shah Cc: "Louis A. Mamakos" , "Rodney W. Grimes" , Tony Landells , ipfw@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: new IPFW In-Reply-To: <199911242242.RAA13782@chai.torrentnet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 24 Nov 1999, Bakul Shah wrote: > > It worked quite well. The one extension which would be valuable is more > > an extension of the BPF expression compiler rather than the engine itself; > > if would be valuable to be able to return a value from the BPF-engine > > program so that it could be acted on. The engine itself has this capability, > > but the existing tcpdump intended expression compiler doesn't currently > > have syntax to support it. > > What would be neat is an extensible filter language that maps > symbolic names to a filter expression on packet fields as > well as a printer language that allows specifying how things > get printed. Right now you have to extend tcpdump's print > routines for the latter. Also, there is no good reason why > the print routines shouldn't be in a library like libpcap so > that tcpdump is just a main program relying almost completely > on a library. We've been doing some work on something similar but I had never thought of trying to apply it to bpf... hmmmmm. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 24 15:52:36 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by hub.freebsd.org (Postfix) with ESMTP id 28C1115404; Wed, 24 Nov 1999 15:52:30 -0800 (PST) (envelope-from louie@whizzo.transsys.com) Received: from whizzo.transsys.com (localhost.transsys.com [127.0.0.1]) by whizzo.transsys.com (8.9.3/8.9.1) with ESMTP id SAA21464; Wed, 24 Nov 1999 18:50:56 -0500 (EST) (envelope-from louie@whizzo.transsys.com) Message-Id: <199911242350.SAA21464@whizzo.transsys.com> X-Mailer: exmh version 2.1.1 10/15/1999 To: Julian Elischer Cc: "Rodney W. Grimes" , Tony Landells , ipfw@FreeBSD.ORG, arch@FreeBSD.ORG From: "Louis A. Mamakos" Subject: Re: new IPFW References: In-reply-to: Your message of "Wed, 24 Nov 1999 14:49:33 PST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 24 Nov 1999 18:50:56 -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [as I don my pointy, er, UUNET hat..] > Louis, have you looked at the pppoe node? (as you are the author > of the RFC I'd like your comments) I've looked at the PPPOE node and the pppoed daemon code recently check in. I'm going to try to set up a FreeBSD test environment in my lab and play with it. We just moved a few weeks ago, and are trying to recover from the chaos of that :-( > Is uunet implementing pppoe yet? I notice all our dsl line s are still > 'routed'. (can you select which method to use with each custommer on a > line by line basis? Yes, though its generally only deployed these days for the consumer/residential product, rather than the business service. That reflects what was there first (the business service using what was available, IP/RFC1483/ATM or IP/RFC1490/Frame Relay). I don't know that it's easy to choose between the two, based on the back-end provisioning and OSS software that "knows" how each of the various products are supposed to be configured. The real driver for the PPPoE development was to support large scale deployments for residential/consumer users, and to support a resale model like we do on our dial network. louie (a.k.a. louie@UU.NET) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Nov 25 7:36:24 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id B6F8014CED; Thu, 25 Nov 1999 07:36:06 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA12448; Thu, 25 Nov 1999 07:36:05 -0800 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda12446; Thu Nov 25 07:35:47 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id HAA67071; Thu, 25 Nov 1999 07:34:03 -0800 (PST) Message-Id: <199911251534.HAA67071@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdD67066; Thu Nov 25 07:33:14 1999 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.3-RELEASE X-Sender: cy To: Tony Landells Cc: ipfw@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: new IPFW In-reply-to: Your message of "Thu, 25 Nov 1999 08:48:10 +1100." <199911242148.IAA25984@tungsten.austclear.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 25 Nov 1999 07:33:13 -0800 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <199911242148.IAA25984@tungsten.austclear.com.au>, Tony Landells wri tes: > I'd be much happier with something in ipfw that just marked the next line > number to be used, preferably in a way that I could get it to move to the > next "grouping"--like "set the next rule number to the next multiple of > 1000". This is what I use in one of my dialup scripts at home: #!/usr/local/bin/bash - # # Generic firewall routines. # fw() { set $@ if /sbin/ipfw -q $@; then : ; else /usr/bin/logger -t "net[$$]" -p auth.error error in: /sbin/ipfw -q $@ echo error in: /sbin/ipfw -q $@ fi } firewall() { set $@ fw add $NUMBER $@ let NUMBER=$NUMBER+1 } ... NUMBER=23000 fw add 29998 reset log ... firewall deny log ... firewall deny log ... ... NUMBER=1100 for SYSTEM in $SERVERS; do firewall divert natd ... out via $DEVICE firewall divert natd ... in via $DEVICE firewall accept ip ... out via $DEVICE firewall accept ip ... in via $DEVICE done ... Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Nov 25 10:40: 8 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 65F4914DBB; Thu, 25 Nov 1999 10:39:48 -0800 (PST) (envelope-from rgrimes@gndrsh.dnsmgr.net) Received: (from rgrimes@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id KAA49143; Thu, 25 Nov 1999 10:39:24 -0800 (PST) (envelope-from rgrimes) From: "Rodney W. Grimes" Message-Id: <199911251839.KAA49143@gndrsh.dnsmgr.net> Subject: Re: new IPFW In-Reply-To: <199911251534.HAA67071@cwsys.cwsent.com> from Cy Schubert - ITSD Open Systems Group at "Nov 25, 1999 07:33:13 am" To: Cy.Schubert@uumail.gov.bc.ca (Cy Schubert - ITSD Open Systems Group) Date: Thu, 25 Nov 1999 10:39:23 -0800 (PST) Cc: ahl@austclear.com.au (Tony Landells), ipfw@FreeBSD.ORG, arch@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > In message <199911242148.IAA25984@tungsten.austclear.com.au>, Tony Landells wri > tes: > > I'd be much happier with something in ipfw that just marked the next line > > number to be used, preferably in a way that I could get it to move to the > > next "grouping"--like "set the next rule number to the next multiple of > > 1000". > > This is what I use in one of my dialup scripts at home: ... And here is another one thats designed to simply handling client/server type tcp and udp protocols it uses fixed rule bases and the port # as an offset. Makes for grepping specific types of accept log data from the ipfw.log files easier [Tab formats probably destroyed by cut-n-paste]: This is just a snippet of the whole file, but I think one can get the idea of what we did here. Note also this is a very open rule set in the calls to clnsrv, we mainly just monitor for suspecious activity. The contents of rc.firewall.conf is up to the reader to figure out... #!/bin/sh # GLOBALS to control things, like testing. Setting fire="echo" # is real nice for debugging. fire="/sbin/ipfw" fadd="${fire} add" # clnsrv(action, proto, sport, dport, clients, servers) clnsrv() { action=$1; shift proto=$1; shift sport=$1; shift dport=$1; shift clients=$1; shift servers=$1; shift if [ X"${proto}" = X"tcp" ]; then setup="setup" base=10000 else setup="" base=40000 fi if [ X"${dport}" = X"" ]; then ruleoffset=${sport} else ruleoffset=${dport} fi if [ ${ruleoffset} -gt 1899 ]; then ruleoffset=1900 fi rule=`expr ${base} + $ ${ruleoffset} \* 10 $` for cln in ${clients} ; do for srv in ${servers} ; do ${fadd} ${rule} ${action} ${proto} \ from ${cln} ${sport} to ${srv} ${dport} ${setup} done done rule=`expr ${rule} + 9` ${fadd} ${rule} ${CLASS} log ${proto} from any ${sport} to any ${dport} } # Pull in the address variables from the conf file or error out if # there is not one (keeps one from shooting your feet off!) if [ -f /etc/rc.firewall.conf ]; then . /etc/rc.firewall.conf else echo "$0 - no rc.firewall.conf file!!! Not loading!!!" exit 1 fi ... [basic stuff for lo0, rfc1918, and some other not so public data] ... ################################################################################ # TCP/* # ${fadd} 10000 allow tcp from any to any established clnsrv "allow " tcp 20 "" "${tcp_ftpdata_c}" "${tcp_ftpdata_s}" clnsrv "allow " tcp "" 21 "${tcp_ftp_c}" "${tcp_ftp_s}" clnsrv "allow " tcp "" 22 "${tcp_ssh_c}" "${tcp_ssh_s}" clnsrv "allow " tcp "" 23 "${tcp_telnet_c}" "${tcp_telnet_s}" clnsrv "allow " tcp "" 25 "${tcp_smtp_c}" "${tcp_smtp_s}" clnsrv "allow " tcp "" 43 "${tcp_nicname_c}" "${tcp_nicname_s}" clnsrv "allow " tcp "" 53 "${tcp_domain_c}" "${tcp_domain_s}" clnsrv "allow " tcp "" 79 "${tcp_finger_c}" "${tcp_finger_s}" clnsrv "allow " tcp "" 80 "${tcp_http_c}" "${tcp_http_s}" clnsrv "allow " tcp "" 110 "${tcp_pop3_c}" "${tcp_pop3_s}" clnsrv "allow " tcp "" 111 "${tcp_sunrpc_c}" "${tcp_sunrpc_s}" clnsrv "allow " tcp "" 113 "${tcp_auth_c}" "${tcp_auth_s}" clnsrv "allow " tcp "" 119 "${tcp_nntp_c}" "${tcp_nntp_s}" clnsrv "allow " tcp "" 123 "${tcp_ntp_c}" "${tcp_ntp_s}" clnsrv "allow " tcp "" 137 "${tcp_netbios_ns_c}" "${tcp_netbios_ns_s}" clnsrv "allow " tcp "" 138 "${tcp_netbios_dgm_c}" "${tcp_netbios_dgm_s}" clnsrv "allow " tcp "" 139 "${tcp_netbios_ssn_c}" "${tcp_netbios_ssn_s}" clnsrv "allow " tcp "" 179 "${tcp_bgp_c}" "${tcp_bgp_s}" clnsrv "allow " tcp "" 443 "${tcp_https_c}" "${tcp_https_s}" clnsrv "allow " tcp "" 515 "${tcp_printer_c}" "${tcp_printer_s}" clnsrv "allow " tcp "" 5190 "${tcp_aol_c}" "${tcp_aol_s}" # XXX For now log all other TCP setups ${fadd} 29999 allow log tcp from any to any setup ################################################################################ # UDP/* # clnsrv "allow " udp "" 53 "${udp_domain_c}" "${udp_domain_s}" clnsrv "allow " udp 53 "" "${udp_domain_s}" "${udp_domain_c}" clnsrv "allow " udp "" 123 "${udp_ntp_c}" "${udp_ntp_s}" clnsrv "allow " udp "" 137 "${udp_netbios_ns_c}" "${udp_netbios_ns_s}" clnsrv "allow " udp "" 138 "${udp_netbios_dgm_c}" "${udp_netbios_dgm_s}" clnsrv "allow log" udp "" 139 "${udp_netbios_ssn_c}" "${udp_netbios_ssn_s}" clnsrv "allow " udp "" 161 "${udp_snmp_c}" "${udp_snmp_s}" clnsrv "allow " udp 161 "" "${udp_snmp_s}" "${udp_snmp_c}" clnsrv "allow " udp "" 162 "${udp_snmptrap_c}" "${udp_snmptrap_s}" clnsrv "allow " udp 162 "" "${udp_snmptrap_s}" "${udp_snmptrap_c}" clnsrv "allow " udp "" 512 "${udp_biff_c}" "${udp_biff_s}" clnsrv "allow " udp "" 513 "${udp_who_c}" "${udp_who_s}" clnsrv "allow " udp "" 514 "${udp_syslog_c}" "${udp_syslog_s}" clnsrv "allow " udp "" 515 "${udp_printer_c}" "${udp_printer_s}" clnsrv "allow " udp "" 516 "${udp_videotex_c}" "${udp_videotex_s}" clnsrv "allow " udp "" 517 "${udp_talk_c}" "${udp_talk_s}" clnsrv "allow " udp "" 518 "${udp_ntalk_c}" "${udp_ntalk_s}" clnsrv "allow " udp "" 519 "${udp_utime_c}" "${udp_utime_s}" clnsrv "allow " udp "" 520 "${udp_router_c}" "${udp_router_s}" clnsrv "allow " udp "" 521 "${udp_ripng_c}" "${udp_ripng_s}" clnsrv "allow " udp 1645 1645 "${udp_radius_c}" "${udp_radius_s}" clnsrv "allow " udp 1645 1645 "${udp_radius_s}" "${udp_radius_c}" clnsrv "allow " udp 1646 1646 "${udp_radacct_c}" "${udp_radacct_s}" clnsrv "allow " udp 1646 1646 "${udp_radacct_s}" "${udp_radacct_c}" clnsrv "allow " udp 1812 1812 "${udp_radius_c}" "${udp_radius_s}" clnsrv "allow " udp 1812 1812 "${udp_radius_s}" "${udp_radius_c}" clnsrv "allow " udp 1813 1813 "${udp_radacct_c}" "${udp_radacct_s}" clnsrv "allow " udp 1813 1813 "${udp_radacct_s}" "${udp_radacct_c}" clnsrv "allow " udp "" 4000 "${udp_4000_c}" "${udp_4000_s}" clnsrv "allow " udp 4000 "" "${udp_4000_s}" "${udp_4000_c}" ${fadd} 59999 allow log udp from any to any much much more below here deleted... -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Nov 25 11:41:18 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (Postfix) with ESMTP id 9B4FD14C86; Thu, 25 Nov 1999 11:41:13 -0800 (PST) (envelope-from julian@whistle.com) Received: from current1.whiste.com (current1.whistle.com [207.76.205.22]) by alpo.whistle.com (8.9.1a/8.9.1) with ESMTP id LAA73476; Thu, 25 Nov 1999 11:40:58 -0800 (PST) Date: Thu, 25 Nov 1999 11:40:58 -0800 (PST) From: Julian Elischer To: Cy Schubert - ITSD Open Systems Group Cc: Tony Landells , ipfw@FreeBSD.ORG, arch@FreeBSD.ORG Subject: Re: new IPFW In-Reply-To: <199911251534.HAA67071@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 25 Nov 1999, Cy Schubert - ITSD Open Systems Group wrote: > In message <199911242148.IAA25984@tungsten.austclear.com.au>, Tony Landells wri > tes: > > I'd be much happier with something in ipfw that just marked the next line > > number to be used, preferably in a way that I could get it to move to the > > next "grouping"--like "set the next rule number to the next multiple of > > 1000". have you tried this? ipfw will add new un-numbered rules on the next 100 boundary after the rule you specified. > > This is what I use in one of my dialup scripts at home: > > #!/usr/local/bin/bash - > # > # Generic firewall routines. > # > fw() { > set $@ > if /sbin/ipfw -q $@; then : ; else > /usr/bin/logger -t "net[$$]" -p auth.error error in: /sbin/ipfw > -q $@ > echo error in: /sbin/ipfw -q $@ > fi > } > > firewall() { > set $@ > fw add $NUMBER $@ > let NUMBER=$NUMBER+1 > } > ... > NUMBER=23000 > fw add 29998 reset log ... > firewall deny log ... > firewall deny log ... > ... > NUMBER=1100 > for SYSTEM in $SERVERS; do > firewall divert natd ... out via $DEVICE > firewall divert natd ... in via $DEVICE > firewall accept ip ... out via $DEVICE > firewall accept ip ... in via $DEVICE > done > ... > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca > ITSD Cy.Schubert@gems8.gov.bc.ca > Province of BC > "e**(i*pi)+1=0" > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-arch" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Nov 25 13:12:10 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from awfulhak.org (dynamic-17.max4-du-ws.dialnetwork.pavilion.co.uk [212.74.9.145]) by hub.freebsd.org (Postfix) with ESMTP id 216CA14C99; Thu, 25 Nov 1999 13:12:05 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by awfulhak.org (8.9.3/8.9.3) with ESMTP id VAA01069; Thu, 25 Nov 1999 21:12:02 GMT (envelope-from brian@lan.awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost.lan.Awfulhak.org [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id JAA00527; Thu, 25 Nov 1999 09:44:58 GMT (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <199911250944.JAA00527@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.0 09/18/1999 To: "Louis A. Mamakos" Cc: Julian Elischer , "Rodney W. Grimes" , Tony Landells , ipfw@FreeBSD.ORG, arch@FreeBSD.ORG, brian@hak.lan.Awfulhak.org Subject: Re: new IPFW In-Reply-To: Message from "Louis A. Mamakos" of "Wed, 24 Nov 1999 18:50:56 EST." <199911242350.SAA21464@whizzo.transsys.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 25 Nov 1999 09:44:58 +0000 From: Brian Somers Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > [as I don my pointy, er, UUNET hat..] > > > Louis, have you looked at the pppoe node? (as you are the author > > of the RFC I'd like your comments) > > I've looked at the PPPOE node and the pppoed daemon code recently > check in. I'm going to try to set up a FreeBSD test environment in > my lab and play with it. We just moved a few weeks ago, and are trying > to recover from the chaos of that :-( There's an example in share/examples/ppp/ppp.conf.sample. [.....] > louie > (a.k.a. louie@UU.NET) -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Nov 25 22:51:49 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from staff.accessus.net (staff.accessus.net [209.145.151.3]) by hub.freebsd.org (Postfix) with ESMTP id CC70714D93; Thu, 25 Nov 1999 22:51:43 -0800 (PST) (envelope-from doogie@staff.accessus.net) Received: by staff.accessus.net with Internet Mail Service (5.5.2650.21) id ; Fri, 26 Nov 1999 00:51:42 -0600 Message-ID: From: Jason Young To: 'Brian Fundakowski Feldman' , ipfw@freebsd.org Cc: arch@freebsd.org Subject: RE: new IPFW Date: Fri, 26 Nov 1999 00:51:41 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01BF37DA.B217A81A" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BF37DA.B217A81A Content-Type: text/plain; charset="iso-8859-1" I've had the privelege of using BSD/OS 4.0's firewalling code, and it's incredibly powerful. It's based on BPF. You actually write one or more filtering "programs" of sorts that get run through the C preprocessor and run as a BPF filter. I wish I had some docs on it handy to post here. There were several places to plug filters in - pre-input, input, input for the machine, pre-output and output, the input/output ones being per-interface (again, if I recall correctly). The pre-input phase was for dealing with fragmentation and some other things, and the input stage would present all packets reassembled, etc. This let you compile and emplace rulesets to be run exactly when and where you need them to be run. It's morally wrong to just rip off the code from BSDI, but if I had to pick just one piece of code for something to steal from somewhere, for any purpose, this would be it hands down. It's just incredibly elegant. It's The Way To Go(tm). If a BPF-like solution isn't adopted, I would say that per-interface rulesets would be my number one wish. > -----Original Message----- > From: Brian Fundakowski Feldman [mailto:green@freebsd.org] > Sent: Wednesday, November 24, 1999 12:33 AM > To: ipfw@freebsd.org > Cc: arch@freebsd.org > Subject: new IPFW > > > I've finally sat myself down to take the first step in getting the new > IPFW done. I'll start by listing some of the different ideas > I've had, [snip] ------_=_NextPart_001_01BF37DA.B217A81A Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: new IPFW

I've had the privelege of using BSD/OS 4.0's = firewalling code, and it's incredibly powerful. It's based on BPF. You = actually write one or more filtering "programs" of sorts that = get run through the C preprocessor and run as a BPF filter.

I wish I had some docs on it handy to post here. = There were several places to plug filters in - pre-input, input, input = for the machine, pre-output and output, the input/output ones being = per-interface (again, if I recall correctly). The pre-input phase was = for dealing with fragmentation and some other things, and the input = stage would present all packets reassembled, etc. This let you compile = and emplace rulesets to be run exactly when and where you need them to = be run.

It's morally wrong to just rip off the code from = BSDI, but if I had to pick just one piece of code for something to = steal from somewhere, for any purpose, this would be it hands down. = It's just incredibly elegant. It's The Way To Go(tm).

If a BPF-like solution isn't adopted, I would say = that per-interface rulesets would be my number one wish.

> -----Original Message-----
> From: Brian Fundakowski Feldman [mailto:green@freebsd.org]
> Sent: Wednesday, November 24, 1999 12:33 = AM
> To: ipfw@freebsd.org
> Cc: arch@freebsd.org
> Subject: new IPFW
>
>
> I've finally sat myself down to take the first = step in getting the new
> IPFW done. I'll start by listing some of = the different ideas
> I've had,
[snip]

------_=_NextPart_001_01BF37DA.B217A81A-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 26 23:16: 1 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from ujf.ujf-grenoble.fr (ujf.ujf-grenoble.fr [193.54.232.33]) by hub.freebsd.org (Postfix) with ESMTP id E819F14DD9 for ; Fri, 26 Nov 1999 23:15:52 -0800 (PST) (envelope-from brunoc@ifrance.com) Received: from vanille.ujfgrenoble.fr (vanille.ujf-grenoble.fr [193.54.244.49]) by ujf.ujf-grenoble.fr (8.9.3/8.8.5) with SMTP id IAA26810 for ; Sat, 27 Nov 1999 08:15:33 +0100 (MET) Message-ID: <003801bf38a6$94c92500$31f436c1@ujfgrenoble.fr> From: "Christian BRUNO" To: Subject: new ipfw : non passive ftp and irc/dcc with firewalling Date: Sat, 27 Nov 1999 08:10:40 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0035_01BF38AE.E51225E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0035_01BF38AE.E51225E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable hello, this message was already posted to freebsd-hackers list, but this list = seems to be the right one for firewalling/address aliasing. i was modifying the libalias source to implement an h323 capability for = use with NATD and real firewalling ( i mean "deny of incoming tcp = connection setups" ) and i found a function that seems to be disabled in = my current fbsd 3.0 : the fwpunchhole() this function dynamically creates a rule in the firewall to allow an = incoming tcp setup from a host on a specific tcp port this allow non-passive FTP and IRC/DCC to work with a firewall rule like = : ## ipfw 10000 deny tcp from any to any in recv ppp0 setup my question : this function will disappear from the next IPFW release ?=20 what is your opinion about re-activating this piece of code in natd and = add a command line option to enable it ? this would solve my problem : when i get an incoming H323 call setup = (through ipfw DIVERT, i update the h323 session state but the packet is = blocked later by the rule "deby tcp setup") is there another way to = achieve this and allow this particular packet to go throught the = firewall without dynamically addind a new rule ? i think the new ipfw should allow "firewall holes" because many FreeBSD = boxes are used as routers/firewall in small networks (imo) thanks for your comments or ideas ! Regards Christian Bruno brunoc@ifrance.com ------=_NextPart_000_0035_01BF38AE.E51225E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

hello,

this message was already posted to = freebsd-hackers=20 list, but this list seems to be the right one for firewalling/address=20 aliasing.

i was modifying the libalias source to implement = an h323=20 capability for use with NATD and real firewalling ( i mean "deny of = incoming tcp=20 connection setups" ) and i found a function that seems to be disabled in = my=20 current fbsd 3.0 : the fwpunchhole()

this function dynamically creates a rule in the = firewall=20 to allow an incoming tcp setup from a host on a specific tcp = port

this allow non-passive FTP and IRC/DCC to work = with a=20 firewall rule like :

## ipfw 10000 deny tcp from any to any in recv = ppp0=20 setup

my question : this function will = disappear from the=20 next IPFW release ?

what is your opinion about re-activating this = piece of=20 code in natd and add a command line option to enable it ?

this would solve my problem : when i get an = incoming H323=20 call setup (through ipfw DIVERT, i update the h323 session state but the = packet=20 is blocked later by the rule "deby tcp setup") is there another way to = achieve=20 this and allow this particular packet to go throught the firewall = without=20 dynamically addind a new rule ?

i think the new ipfw should allow "firewall = holes"=20 because many FreeBSD boxes are used as routers/firewall in small = networks=20 (imo)

thanks for your comments or ideas !

Regards

Christian Bruno

brunoc@ifrance.com

------=_NextPart_000_0035_01BF38AE.E51225E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message