From owner-freebsd-ipfw Sun Sep 1 13:39:10 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C16537B400 for ; Sun, 1 Sep 2002 13:39:05 -0700 (PDT) Received: from idk.com (idk.com [65.104.9.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4396143E75 for ; Sun, 1 Sep 2002 13:39:05 -0700 (PDT) (envelope-from ian@idk.com) Received: (from ian@localhost) by idk.com (8.9.3/8.9.3) id NAA20649; Sun, 1 Sep 2002 13:39:05 -0700 (PDT) From: Ian Kettleborough Message-Id: <200209012039.NAA20649@idk.com> Subject: Need some info please To: ipfw@freebsd.org Date: Sun, 1 Sep 2002 13:39:05 -0700 (PDT) X-Mailer: ELM [version 2.5 PL6] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I am getting a lot ofDNS accesses (one was 50,000) but when I catch these I can block. What I am interested in the time that a typical denial statement ipfw add 1000 reject udp from x.x.x.0/24 to any takes to run and is this the most efficent was to do it. I am still running 2.8 (until I get 6.2 installed) but I may have 50 of these statements already mostly from eastern europe, china, russia and others. Any help or suggestions appreciated. Thanks Ian ian@idk.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Sep 2 8:27:53 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C236837B400 for ; Mon, 2 Sep 2002 08:27:49 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6399243E42 for ; Mon, 2 Sep 2002 08:27:49 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: from iguana.icir.org (localhost [127.0.0.1]) by iguana.icir.org (8.12.3/8.11.3) with ESMTP id g82FRiIb088919; Mon, 2 Sep 2002 08:27:44 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.12.3/8.12.3/Submit) id g82FRhu1088918; Mon, 2 Sep 2002 08:27:43 -0700 (PDT) (envelope-from rizzo) Date: Mon, 2 Sep 2002 08:27:43 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Subject: ipfw2 vs. ipfw1 and 4.7 Message-ID: <20020902082743.D87097@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG People, now that the release of 4.7 is approaching, i would really appreciate if you could give ipfw2 a try and see whether it breaks anything in your rulesets. Also have a look at the manpage highlighting the differences between ipfw1 and ipfw2 to see if your rulesets can be simplified/made more efficient. While I am not suggesting a switch in the default to be used in the distribution, i think it would be appropriate to mention ipfw2's existence in the release notes and elsewhere. I really believe it to be at least as reliable as ipfw1 and a lot more powerful in terms of features. I know there are several people already using ipfw2 in production, and I have no outstanding bug reports for the kernel part of ipfw2 (there were very few anyways) and only one for the userland part (wrong byte order for port numbers in "fwd" commands, for which the [trivial] fix below will be committed soon. Also, I am not going to put work on extending ipfw1's life -- if you have an ipfw1 bug report or feature request for something that is working in ipfw2, you know what my answer will be... cheers luigi NOTE: In order to use ipfw2, you must compile your kernel with options IPFW2 in addition to all other IPFIREWALL* options, and also rebuild and reinstall /sbin/ipfw and usr/lib/libalias with make -DIPFW2 make -DIPFW2 install The manpage for ipfw now tells you the syntax for ipfw2 commands and has a section highlighting the differences between ipfw1 and ipfw2. Index: ipfw2.c =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.12 diff -u -r1.12 ipfw2.c --- ipfw2.c 19 Aug 2002 12:36:54 -0000 1.12 +++ ipfw2.c 2 Sep 2002 15:01:31 -0000 @@ -908,7 +908,7 @@ printf("fwd %s", inet_ntoa(s->sa.sin_addr)); if (s->sa.sin_port) - printf(",%d", ntohs(s->sa.sin_port)); + printf(",%d", s->sa.sin_port); } break; @@ -2592,7 +2592,7 @@ if (s == end) errx(EX_DATAERR, "illegal forwarding port ``%s''", s); - p->sa.sin_port = htons( (u_short)i ); + p->sa.sin_port = (u_short)i; } lookup_host(*av, &(p->sa.sin_addr)); } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Sep 2 10:43:48 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CFA537B400 for ; Mon, 2 Sep 2002 10:43:45 -0700 (PDT) Received: from devilhome.gielstrup.dk (cpe.atm0-0-0-129268.0x3ef27dd9.bynxx3.customer.tele.dk [62.242.125.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFC4343E4A for ; Mon, 2 Sep 2002 10:43:43 -0700 (PDT) (envelope-from lists@gielstrup.dk) Received: from cghome (cghome [192.168.1.2]) by devilhome.gielstrup.dk (Postfix) with SMTP id DBC41145A40; Mon, 2 Sep 2002 19:59:59 +0200 (CEST) Message-ID: <002a01c252a8$4e05c6e0$0201a8c0@cghome> From: "Lists" To: "Ian Kettleborough" , References: <200209012039.NAA20649@idk.com> Subject: Re: Need some info please Date: Mon, 2 Sep 2002 19:43:52 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG What type of access?? Attempted zone transfers?? Do you wish to block off all dns incomming traffic? The you could use: ipfw add 10 deny log tcp from any to "yourhost" in via "your_interface_connected_to_internet" ipfw add 11 deny log udp from any to "yourhost" in via "your_interface_connected_to_internet" Are you using a "default to accept" configuration? You better change that, or I'll guess that you willl forget a lot of rules. Best regards Christian ----- Original Message ----- From: "Ian Kettleborough" To: Sent: Sunday, September 01, 2002 10:39 PM Subject: Need some info please > > I am getting a lot ofDNS accesses (one was 50,000) but when I catch these > I can block. What I am interested in the time that a typical denial > statement > > > ipfw add 1000 reject udp from x.x.x.0/24 to any > > > takes to run and is this the most efficent was to do it. > > I am still running 2.8 (until I get 6.2 installed) but I may have 50 of > these statements already mostly from eastern europe, china, russia and > others. > > Any help or suggestions appreciated. > > Thanks > Ian > ian@idk.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Sep 3 7: 3:36 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3912137B400 for ; Tue, 3 Sep 2002 07:03:34 -0700 (PDT) Received: from ptserver.progtech.net (p50802D59.dip.t-dialin.net [80.128.45.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id E707E43E42 for ; Tue, 3 Sep 2002 07:03:31 -0700 (PDT) (envelope-from grossman@progtech.net) Received: from isis.muc.progtech.intern (isis.muc.progtech.intern [10.25.0.100]) by ptserver.progtech.net (8.12.3/8.12.3) with ESMTP id g83E3Sq3036353 for ; Tue, 3 Sep 2002 16:03:30 +0200 (CEST) (envelope-from grossman) Received: (from grossman@localhost) by isis.muc.progtech.intern (8.11.6/8.9.3) id g83E3HE03552; Tue, 3 Sep 2002 16:03:17 +0200 (CEST) Date: Tue, 3 Sep 2002 16:03:17 +0200 (CEST) Message-Id: <200209031403.g83E3HE03552@isis.muc.progtech.intern> From: Rolf Grossmann MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: ipfw@FreeBSD.ORG Subject: ipfw2 as a kernel module? X-Mailer: VM 7.04 under Emacs 21.2.1 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I'm wondering what's planned for building ipfw2 as a kernel module. Personally, I've already put IPFW2=YES into my /etc/make.conf, so ipfw(8) would work as expected. On a test box, I naively tried to kldload ipfw, with no luck. Checking the module quickly showed that it still builds traditional ipfw. A simple patch (attached) fixed that. Now I'd like to know if that's really all it takes and if it will go into 4.7 or what your plans are. Thanks, Rolf PS: I think it would be great to have only one option for putting ipfw in the kernel and have IPFW2=YES make that ipfw2. It looks to me like the code is (almost?) ready for that anyway. Any plans? RCS file: /home/freebsd/cvs/cvs/src/sys/modules/ipfw/Makefile,v retrieving revision 1.11 diff -u -r1.11 Makefile --- Makefile 28 Aug 1999 00:47:21 -0000 1.11 +++ Makefile 3 Sep 2002 13:42:44 -0000 @@ -2,9 +2,14 @@ .PATH: ${.CURDIR}/../../netinet KMOD= ipfw -SRCS= ip_fw.c NOMAN= +.if IPFW2 +SRCS= ip_fw2.c +CFLAGS+= -DIPFW2 +.else +SRCS= ip_fw.c CFLAGS+= -DIPFIREWALL +.endif # #If you want it verbose #CFLAGS+= -DIPFIREWALL_VERBOSE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message