From owner-freebsd-ipfw Sun Apr 9 12:13:40 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id C49F137B75B; Sun, 9 Apr 2000 12:12:37 -0700 (PDT) (envelope-from green@FreeBSD.org) Date: Sun, 9 Apr 2000 15:12:22 -0400 (EDT) From: Brian Fundakowski Feldman X-Sender: green@green.dyndns.org To: Mike Heffner Cc: freebsd-ipfw@freebsd.org Subject: Re: Problem solved? -- RE: Problems with natd In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 8 Apr 2000, Mike Heffner wrote: > Well, after updating from this morning's source (kernel and make world) the > problem seems to have gone away. I would like to know what the problem > was, and what fixed it; in case we have just re-hid the problem for another > time. Unfortunately, I don't have enough time to track this down any further. > > Thanks to all who provided assistance in this matter. (Crist J. Clark) One of these is probably what fixed it: jlemon 2000/03/29 18:16:43 PST Modified files: sys/netinet ip_output.c Log: If `ipfw fwd' loops an mbuf back to ip_input from ip_output and the mbuf is marked for delayed checksums, then additionally mark the packet as having it's checksums computed. This allows us to bypass computing/checking the checksum entirely, which isn't really needeed as the packet has never hit the wire. Reviewed by: green Revision Changes Path 1.101 +8 -7 src/sys/netinet/ip_output.c jlemon 2000/04/01 10:51:05 PST Modified files: sys/netinet ip_output.c Log: Calculate any delayed checksums before handing an mbuf off to a divert socket. This fixes a problem with ppp/natd. Reviewed by: bsd (Brian Dean, gotta love that login name) Revision Changes Path 1.102 +11 -1 src/sys/netinet/ip_output.c -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 12 21:22:28 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from lamb.sas.com (lamb.sas.com [192.35.83.8]) by hub.freebsd.org (Postfix) with ESMTP id D356937B62A for ; Wed, 12 Apr 2000 21:22:25 -0700 (PDT) (envelope-from brdean@unx.sas.com) Received: from mozart (mozart.unx.sas.com [149.173.6.8]) by lamb.sas.com (8.9.3/8.9.1) with SMTP id AAA14588 for ; Thu, 13 Apr 2000 00:22:23 -0400 (EDT) Received: from dean.pc.sas.com by mozart (5.65c/SAS/Domains/5-6-90) id AA25558; Thu, 13 Apr 2000 00:21:52 -0400 Received: (from brdean@localhost) by dean.pc.sas.com (8.9.3/8.9.1) id AAA77112; Thu, 13 Apr 2000 00:21:52 -0400 (EDT) (envelope-from brdean) From: Brian Dean Message-Id: <200004130421.AAA77112@dean.pc.sas.com> Subject: local firewall rules To: freebsd-ipfw@freebsd.org Date: Thu, 13 Apr 2000 00:21:52 -0400 (EDT) Reply-To: bsd@freebsd.org X-Mailer: ELM [version 2.4ME+ PL61 (25)] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I just got my cable modem and decided to tighten things up a bit with a firewall. My firewall/gateway also runs NAT so that my several internal hosts can share this wonderful little pipe. Well, "firewall_type=simple" is not sufficent for this to work (because of NAT), so I started with the 'simple' rules and modified them so that my internal LAN works the way it should. The only problem is that my outside interface gets its address via DHCP, so I can't hardcode it into the firewall rules. Thus, I put my rules into a shell script called 'rc.firewall.local' where I can determine what the interface IP address is at boot time, then set firewall_type=/etc/rc.firewall.local. Then I made the following modification to /etc/rc.firewall: --- /etc/rc.firewall Fri Feb 11 20:14:43 2000 +++ ./rc.firewall Mon Apr 10 20:59:06 2000 @@ -228,7 +228,9 @@ [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; *) - if [ -r "${firewall_type}" ]; then + if [ -x "${firewall_type}" ]; then + ${firewall_type} + elif [ -r "${firewall_type}" ]; then ${fwcmd} ${firewall_flags} ${firewall_type} fi ;; This checks to see if the rule file is executable first, and if so, executes it, otherwise it works like before, and feeds it into the 'ipfw' program. This change allows you to run a program that sets up your firewall rules, instead of forcing it be an 'ipfw' rule file, with hardcoded values. If nobody minds, I'd like to commit this change. However, if there's another "proper" way that I should have done this, please let me know. I don't think putting these in /usr/local/etc/rc.d is sufficient, since that's the very last thing to run, and thus there is a window where traffic that you would normally block would be free to pass through the firewall. Thanks, -Brian -- Brian Dean bsd@FreeBSD.ORG To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 12 21:51:34 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from MailAndNews.com (MailAndNews.com [199.29.68.160]) by hub.freebsd.org (Postfix) with ESMTP id D771F37B629; Wed, 12 Apr 2000 21:51:31 -0700 (PDT) (envelope-from mheffner@mailandnews.com) Received: from muriel.penguinpowered.com [208.138.199.76] (mheffner@mailandnews.com); Thu, 13 Apr 2000 00:51:29 -0400 X-WM-Posted-At: MailAndNews.com; Thu, 13 Apr 00 00:51:29 -0400 Content-Length: 870 Message-ID: X-Mailer: XFMail 1.4.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <200004130421.AAA77112@dean.pc.sas.com> Date: Thu, 13 Apr 2000 00:50:53 -0400 (EDT) Reply-To: Mike Heffner From: Mike Heffner To: bsd@freebsd.org Subject: RE: local firewall rules Cc: freebsd-ipfw@freebsd.org Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 13-Apr-2000 Brian Dean wrote: | If nobody minds, I'd like to commit this change. However, if there's | another "proper" way that I should have done this, please let me know. | I don't think putting these in /usr/local/etc/rc.d is sufficient, | since that's the very last thing to run, and thus there is a window | where traffic that you would normally block would be free to pass | through the firewall. | I'm all for it. I have a similar situation; I run a script, instead of inputting to ipfw. One note, should the ${firewall_flags} and maybe ${firewall_quiet} be sent as args to the script? /**************************************** * Mike Heffner * * Fredericksburg, VA ICQ# 882073 * * Sent at: 13-Apr-2000 -- 00:41:02 EST * * http://my.ispchannel.com/~mheffner * ****************************************/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Apr 14 22:52:33 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from DioxyNet.Org (cable22.charlevoix.net [207.236.217.182]) by hub.freebsd.org (Postfix) with ESMTP id A429737B799 for ; Fri, 14 Apr 2000 22:52:24 -0700 (PDT) (envelope-from admin@dioxynet.org) Received: from win98 (Pentium.DioxyNet.Org [192.168.1.1]) by DioxyNet.Org (8.9.3/8.9.3) with SMTP id VAA00320 for ; Fri, 14 Apr 2000 21:53:25 -0400 (EDT) (envelope-from admin@dioxynet.org) Message-ID: <000801bfa735$e0e9fec0$0101a8c0@dioxynet.org.dioxynet.org> From: "NuClEaR" To: Subject: 2ips on same interface whit natd and ipfw Date: Sun, 16 Apr 2000 01:53:59 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0005_01BFA746.A2307FE0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0005_01BFA746.A2307FE0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable hi, im a big probleme im 2 ip on same interface, or after=20 ipfw add divert natd all from any to any via ed1 =20 is loader i connect bind on my 2e ip ... juste 1ip werk and ping to 2th ip ping reply is from 1st ip ... plz help me ! Yan Ouellet DioxyNet root ------=_NextPart_000_0005_01BFA746.A2307FE0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
hi,
im a big probleme im 2 ip on same = interface, or=20 after
ipfw add divert natd all from any to = any via=20 ed1         
is loader i connect bind on my 2e ip = ... juste 1ip=20 werk
and ping to 2th ip ping reply is from = 1st ip=20 ...
       =20             =    =20             plz help me=20 !
          &nbs= p;            = ;            =         =20 Yan Ouellet
       =20             =    =20             =    =20             DioxyNet=20 root
------=_NextPart_000_0005_01BFA746.A2307FE0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Apr 15 1:57:10 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from jason.argos.org (a1-3b058.neo.rr.com [24.93.181.58]) by hub.freebsd.org (Postfix) with ESMTP id 1101337B568 for ; Sat, 15 Apr 2000 01:57:08 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.9.1/8.9.1) with ESMTP id EAA29390; Sat, 15 Apr 2000 04:56:44 -0400 Date: Sat, 15 Apr 2000 04:56:43 -0400 (EDT) From: Mike Nowlin To: NuClEaR Cc: ipfw@FreeBSD.ORG, adoyle@viewsnet.com Subject: Re: 2ips on same interface whit natd and ipfw In-Reply-To: <000801bfa735$e0e9fec0$0101a8c0@dioxynet.org.dioxynet.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > hi, > im a big probleme im 2 ip on same interface, or after > ipfw add divert natd all from any to any via ed1 > is loader i connect bind on my 2e ip ... juste 1ip werk > and ping to 2th ip ping reply is from 1st ip ... Loosely translated: I'm having a big problem. I have two IP addresses on the same interface, and outgoing connections are sourced from the first defined IP address. First of all, use English. It's a wonderful language, even with all of it's stupidities. No English? Try Pig Latin. No Pig Latin? Try any of the other proper languages that aren't meant to make people look "cool", not ones that end up making people look "$+up1d". This is a professional-quality mailing list, and (in my opinion), we'd appreciate professional-quality questions. Second, an answer: If I'm understanding(?) your problem correctly, you're using the "ifconfig alias" command to add a second IP address to a network card. This is primarily used to make an interface respond to an additional IP address. This is really meant to handle incoming connections, not outgoing. if you try to telnet/ping/whatever to the second IP address, the interface should respond, but any outgoing connections will use the primary IP address. Fix: Either install a second network card with the second IP address and set up the routing tables correctly, or tell us what you're actually having problems with in some manner that makes sense. --mike (BTW: My "language comments" are coming from the viewpoint of someone who used the "version 1.0" of that "language" WAY back when... Things get out of hand pretty easily in this world...) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message