From owner-freebsd-ipfw@FreeBSD.ORG Sun May 4 00:53:40 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2955937B401 for ; Sun, 4 May 2003 00:53:40 -0700 (PDT) Received: from holmes.peterlink.ru (holmes.peterlink.ru [195.242.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4BD4043FA3 for ; Sun, 4 May 2003 00:53:38 -0700 (PDT) (envelope-from maxes@peterlink.ru) Received: from stapleton.peterlink.ru (stapleton.peterlink.ru [195.242.2.5]) by holmes.peterlink.ru (8.12.6/8.12.6) with ESMTP id h447rXqQ097098; Sun, 4 May 2003 11:53:35 +0400 (MSD) Received: from buratino.peterlink.ru (madmax@buratino.peterlink.ru [195.242.2.70])h447rWOu092733; Sun, 4 May 2003 11:53:32 +0400 (MSD) Received: from localhost (madmax@localhost) by buratino.peterlink.ru (8.9.1/8.9.1) with ESMTP id LAA12810; Sun, 4 May 2003 11:53:31 +0400 (MSD) Date: Sun, 4 May 2003 11:53:31 +0400 (MSD) From: maxes@peterlink.ru X-X-Sender: madmax@buratino.peterlink.ru To: Mihail Balikov In-Reply-To: <002601c31206$5ab1a080$9bf212d9@interbgc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-ipfw@freebsd.org Subject: Re: src-limit trouble X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2003 07:53:40 -0000 > this happens when you have more than one rule with "limit" . What exactly happens - LIMIT without PARENT or FIN_WAIT_2 problem ? I use only one limit rule: ipfw sh | grep limit | wc -l 1 > > I have small patch for 4.7 Can you send it to me or to list ? b.r. Kozin Maxim From owner-freebsd-ipfw@FreeBSD.ORG Sun May 4 02:07:07 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7DC7737B401 for ; Sun, 4 May 2003 02:07:07 -0700 (PDT) Received: from ns1.interbgc.com (mail.interbgc.com [217.9.224.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 00C6E43F75 for ; Sun, 4 May 2003 02:07:04 -0700 (PDT) (envelope-from misho@interbgc.com) Received: (qmail 16208 invoked from network); 4 May 2003 09:06:59 -0000 Received: from misho.cablebg.net (HELO misho) (217.18.242.155) by mail.interbgc.com with SMTP; 4 May 2003 09:06:59 -0000 Message-ID: <000901c3121c$851906e0$9bf212d9@interbgc.com> From: "Mihail Balikov" To: References: Date: Sun, 4 May 2003 12:06:59 +0300 Organization: Inter-Bg-Com Ltd. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 cc: freebsd-ipfw@freebsd.org Subject: Re: src-limit trouble X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Mihail Balikov List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2003 09:07:07 -0000 I was incorrect, problem appears when you have a lot of PARENT with single static rule . Here you are , avery simple patch for 4.8 regards, Mihail --- ip_fw2.c.orig Sun May 4 11:44:42 2003 +++ ip_fw2.c Sun May 4 11:49:22 2003 @@ -682,10 +682,14 @@ max_pass = 1; if (pass == 0) goto next; - if (FORCE && q->count != 0 ) { - /* XXX should not happen! */ - printf( "OUCH! cannot remove rule," - " count %d\n", q->count); + if (q->count != 0) { + if (FORCE) { + /* XXX should not happen! */ + printf( "OUCH! cannot remove rule," + " count %d\n", q->count); + } else { + goto next; + } } } else { if (!FORCE && ----- Original Message ----- From: To: "Mihail Balikov" Cc: Sent: Sunday, May 04, 2003 10:53 AM Subject: Re: src-limit trouble > > this happens when you have more than one rule with "limit" . > What exactly happens - LIMIT without PARENT or FIN_WAIT_2 problem ? > I use only one limit rule: > ipfw sh | grep limit | wc -l > 1 > > > > I have small patch for 4.7 > Can you send it to me or to list ? > > b.r. > Kozin Maxim > > > From owner-freebsd-ipfw@FreeBSD.ORG Mon May 5 06:49:29 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AEDF37B401 for ; Mon, 5 May 2003 06:49:29 -0700 (PDT) Received: from gw.ast.com.na (gw.ast.com.na [196.20.13.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F02443F3F for ; Mon, 5 May 2003 06:49:27 -0700 (PDT) (envelope-from jmeyer@netroach.com) Received: from [192.168.1.4] (helo=nicole) by gw.ast.com.na with smtp (Exim 3.36 #1) id 19ChGX-0000kw-00 for freebsd-ipfw@freebsd.org; Mon, 05 May 2003 14:48:29 +0000 Message-ID: <000901c3130d$97dab020$0401a8c0@netroach.com> From: "John Meyer" To: Date: Mon, 5 May 2003 15:52:39 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Re: FreeBSD 4.2 ipfw natd -- Port Forwarding? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2003 13:49:29 -0000 Hi Thanks to whomever helps me. I have Bsd 4.8 with nat and ipfw compiled. My ipfw script contains one comment near the end add 10000 allow tcp from any to 192.168.0.249 setup and my natd.conf has a statement redirect_address 192.168.0.249 196.xx.xxx.xxx The problem is I cannot seem to get what is blocking the connection. if I do ipfw show while I browse to the ip with explorer nothing seems = to get to it. (Looks like rule 00600 add divert natd ip from any to any via fxp0 = blocks it) I have found so many ways to do it on the internet that I myself is no = getting confused. For www redirection what should be the best and easiest way. Thankx John Meyer From owner-freebsd-ipfw@FreeBSD.ORG Mon May 5 06:59:16 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5636637B401 for ; Mon, 5 May 2003 06:59:16 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id B112743F85 for ; Mon, 5 May 2003 06:59:13 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 83183 invoked from network); 5 May 2003 13:59:12 -0000 Received: from queequeg.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 5 May 2003 13:59:12 -0000 Message-ID: <3EB66E30.6050708@tenebras.com> Date: Mon, 05 May 2003 06:59:12 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3) Gecko/20030312 X-Accept-Language: en-us, en, zh-cn, zh-tw MIME-Version: 1.0 To: John Meyer References: <000901c3130d$97dab020$0401a8c0@netroach.com> In-Reply-To: <000901c3130d$97dab020$0401a8c0@netroach.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD 4.2 ipfw natd -- Port Forwarding? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2003 13:59:16 -0000 John Meyer wrote: > I have Bsd 4.8 with nat and ipfw compiled. > My ipfw script contains one comment near the end > add 10000 allow tcp from any to 192.168.0.249 setup > > and my natd.conf has a statement > redirect_address 192.168.0.249 196.xx.xxx.xxx > > The problem is I cannot seem to get what is blocking the connection. You are. ;-) Until you're considerably more familiar with ipfirewall and natd, don't use stateful rules with NAT. NAT is already stateful. Packets on the outbound side won't match your stateful rule, because they aren't from 192.x.y.z but from 196.a.b.c > if I do ipfw show while I browse to the ip with explorer nothing seems to get to it. > (Looks like rule 00600 add divert natd ip from any to any via fxp0 blocks it) So, set natd to deny_incoming if you're concerned about blocking packets that aren't part of any connected tcp stream. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 5 11:01:34 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B41EE37B404 for ; Mon, 5 May 2003 11:01:34 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6014143F75 for ; Mon, 5 May 2003 11:01:34 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h45I1YUp080314 for ; Mon, 5 May 2003 11:01:34 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h45I1XUD080309 for ipfw@freebsd.org; Mon, 5 May 2003 11:01:33 -0700 (PDT) Date: Mon, 5 May 2003 11:01:33 -0700 (PDT) Message-Id: <200305051801.h45I1XUD080309@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2003 18:01:35 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2003/01/05] bin/46785 ipfw [patch] add sets information to ipfw2 -h o [2003/01/15] bin/47120 ipfw [patch] Sanity check in ipfw(8) o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r 4 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 05:14:11 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA76A37B401 for ; Tue, 6 May 2003 05:14:11 -0700 (PDT) Received: from mail.globalintellisystems.com (mail.globalintellisystems.com [216.127.132.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1956A43FB1 for ; Tue, 6 May 2003 05:14:11 -0700 (PDT) (envelope-from jbrogan@jbrogan.com) Received: from mail.jbrogan.com ([216.127.150.21])h46CE9cQ050139 for ; Tue, 6 May 2003 08:14:10 -0400 (EDT) (envelope-from jbrogan@jbrogan.com) Message-Id: <5.2.0.9.2.20030506074616.02930530@mail.jbrogan.com> X-Sender: jbrogan@mail.jbrogan.com X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Tue, 06 May 2003 08:14:42 -0400 To: freebsd-ipfw@freebsd.org From: John Brogan Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Bandwidth is limited under defined limit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 12:14:12 -0000 I'm not sure what details I should grab from our system but here is a breakdown of the problem. Router: running freebsd 4.7-p10 running ipfw for for firewall and simple traffic shaper. Circuit: 36mbps Problem: Trying to limit port 25 traffic from inside our network to use no more than 30mbps at any time, leaving 6mbps for web and other traffic. I am only getting 22mbps of outbound port 25 traffic no matter how I alter the pipe statement (below) in my rc.firewall at the top of the ruleset I have: ${fwcmd} add pipe 1 tcp from x.x.x.x/24 to any 25 ${fwcmd} pipe 1 config bw 30Mbit/s (I'm showing x's instead of digits for reference) If I do an ipfw -a list, the pipe shows up as: 00400 57500157 62391158214 pipe 1 tcp from x.x.x.x/24 to any 25 if I do an "ipfw pipe show" I get: 00001: 30.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp x.x.x.x/3576 x.x.x.x/25 62443512 67705656555 0 0 6649763 I can set that "pipe 1 config bw" statement to 90mbps or 100mbps or something outrageous and it still does not want to let bandwidth go over 22mbps for port 25 traffic I am delivering news (opt-in only) for a very large cable news company and we are trying to figure out how to get more bandwidth for port 25 but not to saturate the circuit. If we remove the pipe alltogether just to make certain it's not some hardware issue then we almost immediately saturate the link at 100% with just port 25 traffic. I've read through the archives but have not found something similar to this, or at least from what I searched for. What could be causing this and if you have suggestions for other settings to make on this, I would appreciate the help. I'd rather use ipfw than buy a piece of hardware to do the bandwidht limiting because I've been a freebsd user back to the 1.1.5.1 days and believe in the product and project 100% Oh, and if anyone knows how I can get in touch with Rod Grimes, please let me know or pass my address along to him. I have a potential project for him. Many Thanks John Brogan jbrogan.com From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 05:56:32 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5731C37B401 for ; Tue, 6 May 2003 05:56:32 -0700 (PDT) Received: from babyruth.hotpop.com (babyruth.hotpop.com [204.57.55.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8636B43FBF for ; Tue, 6 May 2003 05:56:31 -0700 (PDT) (envelope-from vijaypatel@hotpop.com) Received: from hotpop.com (kubrick.hotpop.com [204.57.55.16]) by babyruth.hotpop.com (Postfix) with SMTP id 64B6C26C077 for ; Tue, 6 May 2003 12:37:31 +0000 (UTC) Received: from tosc8 (unknown [203.88.130.162]) by smtp-1.hotpop.com (Postfix) with SMTP id 70DD71A015E for ; Tue, 6 May 2003 12:37:14 +0000 (UTC) Message-ID: <002b01c313cd$5d22efe0$0800a8c0@tosc.icenet.net> From: "vijaypatel" To: Date: Tue, 6 May 2003 18:15:14 +0530 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-HotPOP: ----------------------------------------------- Sent By HotPOP.com FREE Email Get your FREE POP email at www.HotPOP.com ----------------------------------------------- Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Developing Proxy Server - Don't have Speed. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 12:56:32 -0000 Hi, We are developing transparant proxy server on FreeBSD 4.7 having = hardware configuration pentium-I 200Mhz,64 MB RAM. we have done following things. -- we have done Network Address Translation for every packet going = outside. -- we are using libnet 1.0 & C Socket API,C Standard Template = Lib.(Hash,Map,Vector) for Network Address Translation. Network Address Translation is giving exact result. Problem -- we are testing speed of Network Address Translation operation which = is about 7 KB/S which is extreamly slow. -- we have configure SQUID proxy server to mesure speed of internet = which is about 700 KB/S -- Earlier we thought that less speed is because of LIBNET Libaray so = that we remove everything concern to LIBNET & used SOCKET APIs only. -- we have tested same code on LINUX 7.1 which is giving speed of about = 300 KB/S which is quite reasonable. We want to build application like IPFW - natd as a part of project. We aiming to get around 500 KB/S speed of our proxy server. so help us = in finding out bootleneck of our code or suggest any alternative way. please suggest any solution so that speed of Network Address Translation = can be increase. Thanks in Advance. From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 07:40:06 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54EC837B401 for ; Tue, 6 May 2003 07:40:06 -0700 (PDT) Received: from ns1.interbgc.com (mail.interbgc.com [217.9.224.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 79AC543F75 for ; Tue, 6 May 2003 07:40:03 -0700 (PDT) (envelope-from misho@interbgc.com) Received: (qmail 92999 invoked by uid 1008); 6 May 2003 14:39:59 -0000 Message-ID: <20030506143959.92998.qmail@ns1.interbgc.com> References: <5.2.0.9.2.20030506074616.02930530@mail.jbrogan.com> In-Reply-To: <5.2.0.9.2.20030506074616.02930530@mail.jbrogan.com> From: Mihail Balikov To: John Brogan Date: Tue, 06 May 2003 17:39:59 +0300 Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1" Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: Bandwidth is limited under defined limit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 14:40:06 -0000 try to increase HZ to 1000 (or more) /boot/loader.conf: kern.hz="1000" or recompile kernel with options HZ=1000 regards, Mihail Balikov John Brogan writes: > I'm not sure what details I should grab from our system but here is a > breakdown of the problem. > > Router: running freebsd 4.7-p10 running ipfw for for firewall and simple > traffic shaper. > > Circuit: 36mbps > > Problem: Trying to limit port 25 traffic from inside our network to use no > more than 30mbps at any time, leaving 6mbps for web and other traffic. I > am only getting 22mbps of outbound port 25 traffic no matter how I alter > the pipe statement (below) > > in my rc.firewall at the top of the ruleset I have: > > ${fwcmd} add pipe 1 tcp from x.x.x.x/24 to any 25 > ${fwcmd} pipe 1 config bw 30Mbit/s > > (I'm showing x's instead of digits for reference) > > If I do an ipfw -a list, the pipe shows up as: > > 00400 57500157 62391158214 pipe 1 tcp from x.x.x.x/24 to any 25 > > if I do an "ipfw pipe show" I get: > > 00001: 30.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 tcp x.x.x.x/3576 x.x.x.x/25 62443512 67705656555 0 0 6649763 > > I can set that "pipe 1 config bw" statement to 90mbps or 100mbps or > something outrageous and it still does not want to let bandwidth go over > 22mbps for port 25 traffic > > I am delivering news (opt-in only) for a very large cable news company and > we are trying to figure out how to get more bandwidth for port 25 but not > to saturate the circuit. If we remove the pipe alltogether just to make > certain it's not some hardware issue then we almost immediately saturate > the link at 100% with just port 25 traffic. > > I've read through the archives but have not found something similar to > this, or at least from what I searched for. What could be causing this > and if you have suggestions for other settings to make on this, I would > appreciate the help. > > I'd rather use ipfw than buy a piece of hardware to do the bandwidht > limiting because I've been a freebsd user back to the 1.1.5.1 days and > believe in the product and project 100% > > Oh, and if anyone knows how I can get in touch with Rod Grimes, please let > me know or pass my address along to him. I have a potential project for > him. > > Many Thanks > > John Brogan > jbrogan.com > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 12:35:00 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B04437B401; Tue, 6 May 2003 12:35:00 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC72F43FBF; Tue, 6 May 2003 12:34:59 -0700 (PDT) (envelope-from johan@FreeBSD.org) Received: from freefall.freebsd.org (johan@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46JYxUp055413; Tue, 6 May 2003 12:34:59 -0700 (PDT) (envelope-from johan@freefall.freebsd.org) Received: (from johan@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46JYxXo055409; Tue, 6 May 2003 12:34:59 -0700 (PDT) Date: Tue, 6 May 2003 12:34:59 -0700 (PDT) From: Johan Karlsson Message-Id: <200305061934.h46JYxXo055409@freefall.freebsd.org> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/47529: natd/ipfw lose TCP packets for firewalled machines X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 19:35:00 -0000 Synopsis: natd/ipfw lose TCP packets for firewalled machines Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 12:34:18 PDT 2003 Responsible-Changed-Why: Over to maintainer group. http://www.freebsd.org/cgi/query-pr.cgi?pr=47529 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 12:36:06 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4526A37B401; Tue, 6 May 2003 12:36:06 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D687743F85; Tue, 6 May 2003 12:36:05 -0700 (PDT) (envelope-from johan@FreeBSD.org) Received: from freefall.freebsd.org (johan@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46Ja5Up055654; Tue, 6 May 2003 12:36:05 -0700 (PDT) (envelope-from johan@freefall.freebsd.org) Received: (from johan@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46Ja5rT055650; Tue, 6 May 2003 12:36:05 -0700 (PDT) Date: Tue, 6 May 2003 12:36:05 -0700 (PDT) From: Johan Karlsson Message-Id: <200305061936.h46Ja5rT055650@freefall.freebsd.org> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/50216: kernel panic on 5.0-current when use ipfw2 with dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 19:36:06 -0000 Synopsis: kernel panic on 5.0-current when use ipfw2 with dynamic rules Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 12:35:46 PDT 2003 Responsible-Changed-Why: Over to maintainer group. http://www.freebsd.org/cgi/query-pr.cgi?pr=50216 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 12:37:01 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A432A37B401; Tue, 6 May 2003 12:37:01 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32A3D43F93; Tue, 6 May 2003 12:37:01 -0700 (PDT) (envelope-from johan@FreeBSD.org) Received: from freefall.freebsd.org (johan@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46Jb1Up055968; Tue, 6 May 2003 12:37:01 -0700 (PDT) (envelope-from johan@freefall.freebsd.org) Received: (from johan@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46Jb1Bp055964; Tue, 6 May 2003 12:37:01 -0700 (PDT) Date: Tue, 6 May 2003 12:37:01 -0700 (PDT) From: Johan Karlsson Message-Id: <200305061937.h46Jb1Bp055964@freefall.freebsd.org> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/51485: "Fatal trap 12" from bridge code with ipfw enabled, when passing a traceroute. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 19:37:02 -0000 Synopsis: "Fatal trap 12" from bridge code with ipfw enabled, when passing a traceroute. Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 12:36:41 PDT 2003 Responsible-Changed-Why: Over to maintainer group. http://www.freebsd.org/cgi/query-pr.cgi?pr=51485 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 12:49:53 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2730B37B401; Tue, 6 May 2003 12:49:53 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BAE2243F93; Tue, 6 May 2003 12:49:52 -0700 (PDT) (envelope-from johan@FreeBSD.org) Received: from freefall.freebsd.org (johan@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46JnqUp059646; Tue, 6 May 2003 12:49:52 -0700 (PDT) (envelope-from johan@freefall.freebsd.org) Received: (from johan@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46Jnq5X059642; Tue, 6 May 2003 12:49:52 -0700 (PDT) Date: Tue, 6 May 2003 12:49:52 -0700 (PDT) From: Johan Karlsson Message-Id: <200305061949.h46Jnq5X059642@freefall.freebsd.org> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/51132: kernel part of ipfw1 processes 'to not me in recv rl0' incorrectly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 19:49:53 -0000 Synopsis: kernel part of ipfw1 processes 'to not me in recv rl0' incorrectly Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 12:49:32 PDT 2003 Responsible-Changed-Why: Over to maintainer group. http://www.freebsd.org/cgi/query-pr.cgi?pr=51132 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 12:50:48 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEB4B37B401; Tue, 6 May 2003 12:50:48 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5EC0443FB1; Tue, 6 May 2003 12:50:48 -0700 (PDT) (envelope-from johan@FreeBSD.org) Received: from freefall.freebsd.org (johan@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46JomUp060206; Tue, 6 May 2003 12:50:48 -0700 (PDT) (envelope-from johan@freefall.freebsd.org) Received: (from johan@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46JomnE060202; Tue, 6 May 2003 12:50:48 -0700 (PDT) Date: Tue, 6 May 2003 12:50:48 -0700 (PDT) From: Johan Karlsson Message-Id: <200305061950.h46JomnE060202@freefall.freebsd.org> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/51274: ipfw2 create dynamic rules with parent number 65535 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 19:50:49 -0000 Synopsis: ipfw2 create dynamic rules with parent number 65535 Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 12:50:16 PDT 2003 Responsible-Changed-Why: Over to maintainer group. http://www.freebsd.org/cgi/query-pr.cgi?pr=51274 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 12:51:38 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0EDC37B401; Tue, 6 May 2003 12:51:38 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D6B543F85; Tue, 6 May 2003 12:51:38 -0700 (PDT) (envelope-from johan@FreeBSD.org) Received: from freefall.freebsd.org (johan@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46JpcUp060424; Tue, 6 May 2003 12:51:38 -0700 (PDT) (envelope-from johan@freefall.freebsd.org) Received: (from johan@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46Jpcoh060420; Tue, 6 May 2003 12:51:38 -0700 (PDT) Date: Tue, 6 May 2003 12:51:38 -0700 (PDT) From: Johan Karlsson Message-Id: <200305061951.h46Jpcoh060420@freefall.freebsd.org> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/51341: ipfw rule 'deny icmp from any to any icmptype 5' matches fragmented icmp packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 19:51:39 -0000 Synopsis: ipfw rule 'deny icmp from any to any icmptype 5' matches fragmented icmp packets Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 12:51:20 PDT 2003 Responsible-Changed-Why: Over to maintainer group. http://www.freebsd.org/cgi/query-pr.cgi?pr=51341 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 12:55:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E304237B401; Tue, 6 May 2003 12:55:26 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7ECA143F75; Tue, 6 May 2003 12:55:26 -0700 (PDT) (envelope-from johan@FreeBSD.org) Received: from freefall.freebsd.org (johan@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46JtQUp060790; Tue, 6 May 2003 12:55:26 -0700 (PDT) (envelope-from johan@freefall.freebsd.org) Received: (from johan@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46JtQXj060786; Tue, 6 May 2003 12:55:26 -0700 (PDT) Date: Tue, 6 May 2003 12:55:26 -0700 (PDT) From: Johan Karlsson Message-Id: <200305061955.h46JtQXj060786@freefall.freebsd.org> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/26534: Add an option to ipfw to log gid/uid of who caused the rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 19:55:27 -0000 Synopsis: Add an option to ipfw to log gid/uid of who caused the rule Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 12:52:54 PDT 2003 Responsible-Changed-Why: Over to maintainer group. http://www.freebsd.org/cgi/query-pr.cgi?pr=26534 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 12:57:46 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A758137B401; Tue, 6 May 2003 12:57:46 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 46C9543FB1; Tue, 6 May 2003 12:57:46 -0700 (PDT) (envelope-from johan@FreeBSD.org) Received: from freefall.freebsd.org (johan@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46JvkUp061309; Tue, 6 May 2003 12:57:46 -0700 (PDT) (envelope-from johan@freefall.freebsd.org) Received: (from johan@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46Jvjah061305; Tue, 6 May 2003 12:57:45 -0700 (PDT) Date: Tue, 6 May 2003 12:57:45 -0700 (PDT) From: Johan Karlsson Message-Id: <200305061957.h46Jvjah061305@freefall.freebsd.org> To: gary@outloud.org, johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/33804: ipfw bug/problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 19:57:47 -0000 Synopsis: ipfw bug/problem State-Changed-From-To: open->feedback State-Changed-By: johan State-Changed-When: Tue May 6 12:57:02 PDT 2003 State-Changed-Why: Is this still a problem? Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 12:57:02 PDT 2003 Responsible-Changed-Why: Over to maintainer group. http://www.freebsd.org/cgi/query-pr.cgi?pr=33804 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 12:59:04 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3575237B401; Tue, 6 May 2003 12:59:04 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAC2143F93; Tue, 6 May 2003 12:59:03 -0700 (PDT) (envelope-from johan@FreeBSD.org) Received: from freefall.freebsd.org (johan@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46Jx3Up061732; Tue, 6 May 2003 12:59:03 -0700 (PDT) (envelope-from johan@freefall.freebsd.org) Received: (from johan@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46Jx38p061728; Tue, 6 May 2003 12:59:03 -0700 (PDT) Date: Tue, 6 May 2003 12:59:03 -0700 (PDT) From: Johan Karlsson Message-Id: <200305061959.h46Jx38p061728@freefall.freebsd.org> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/46159: ipfw dynamic rules lifetime feature X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 19:59:04 -0000 Synopsis: ipfw dynamic rules lifetime feature Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 12:58:45 PDT 2003 Responsible-Changed-Why: Over to maintainer group. http://www.freebsd.org/cgi/query-pr.cgi?pr=46159 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 13:02:43 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A729D37B401; Tue, 6 May 2003 13:02:43 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AC0143FB1; Tue, 6 May 2003 13:02:42 -0700 (PDT) (envelope-from johan@FreeBSD.org) Received: from freefall.freebsd.org (johan@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46K2gUp062475; Tue, 6 May 2003 13:02:42 -0700 (PDT) (envelope-from johan@freefall.freebsd.org) Received: (from johan@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46K2gB6062471; Tue, 6 May 2003 13:02:42 -0700 (PDT) Date: Tue, 6 May 2003 13:02:42 -0700 (PDT) From: Johan Karlsson Message-Id: <200305062002.h46K2gB6062471@freefall.freebsd.org> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/46564: IPFilter and IPFW processing order is not sensible> X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 20:02:44 -0000 Synopsis: IPFilter and IPFW processing order is not sensible> Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 13:02:05 PDT 2003 Responsible-Changed-Why: Over to ipfw maintainers who will hopefully know if this is the correct solution. http://www.freebsd.org/cgi/query-pr.cgi?pr=46564 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 13:06:20 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A06037B401; Tue, 6 May 2003 13:06:20 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A059443F75; Tue, 6 May 2003 13:06:19 -0700 (PDT) (envelope-from johan@FreeBSD.org) Received: from freefall.freebsd.org (johan@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46K6JUp066713; Tue, 6 May 2003 13:06:19 -0700 (PDT) (envelope-from johan@freefall.freebsd.org) Received: (from johan@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46K6J0K066709; Tue, 6 May 2003 13:06:19 -0700 (PDT) Date: Tue, 6 May 2003 13:06:19 -0700 (PDT) From: Johan Karlsson Message-Id: <200305062006.h46K6J0K066709@freefall.freebsd.org> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: bin/48015: make ipfw2 work with iplen ranges X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 20:06:20 -0000 Synopsis: make ipfw2 work with iplen ranges Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 13:05:58 PDT 2003 Responsible-Changed-Why: Over to maintainer group. http://www.freebsd.org/cgi/query-pr.cgi?pr=48015 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 13:07:59 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88ACC37B404 for ; Tue, 6 May 2003 13:07:59 -0700 (PDT) Received: from lilzcluster.liwest.at (lilzclust01.liwest.at [212.33.55.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 753B243F85 for ; Tue, 6 May 2003 13:07:58 -0700 (PDT) (envelope-from dgw@liwest.at) Received: from cm58-27.liwest.at by lilzcluster.liwest.at (8.10.2/1.1.2.11/08Jun01-1123AM) id h46K7ui0000794324; Tue, 6 May 2003 22:07:57 +0200 (MEST) From: Daniela To: ipfw@FreeBSD.org Date: Tue, 6 May 2003 22:08:06 +0000 User-Agent: KMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305062208.06242.dgw@liwest.at> Subject: Allow all traffic for a specific process X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 20:07:59 -0000 Hi all! Does IPFW have a feature to pass all traffic destined for ports a specific process has opened? The process opens many rapidly changing dynamic ports, UDP and TCP, so the keep-state rules are useless most of the time. If this is not possible, would it be easy to implement? I'm still a newbie, but if it's not too hard, I think I can do it. Regards, Daniela From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 13:10:18 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81C9837B401 for ; Tue, 6 May 2003 13:10:18 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 245B243F93 for ; Tue, 6 May 2003 13:10:18 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46KAHUp067789 for ; Tue, 6 May 2003 13:10:17 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46KAH8d067788; Tue, 6 May 2003 13:10:17 -0700 (PDT) Date: Tue, 6 May 2003 13:10:17 -0700 (PDT) Message-Id: <200305062010.h46KAH8d067788@freefall.freebsd.org> To: ipfw@FreeBSD.org From: "Simon L. Nielsen" Subject: Re: kern/51132: kernel part of ipfw1 processes 'to not me in recv rl0' incorrectly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Simon L. Nielsen" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 20:10:19 -0000 The following reply was made to PR kern/51132; it has been noted by GNATS. From: "Simon L. Nielsen" To: freebsd-gnats-submit@FreeBSD.org Cc: Subject: Re: kern/51132: kernel part of ipfw1 processes 'to not me in recv rl0' incorrectly Date: Tue, 6 May 2003 22:08:54 +0200 --BOKacYhQ+x31HxR3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Note that this was discussed on freebsd-net in the following thread : http://www.freebsd.org/cgi/getmsg.cgi?fetch=3D29964+0+/usr/local/www/db/tex= t/2003/freebsd-net/20030427.freebsd-net Two fixes were proposed but none of them were apparently committed. --=20 Simon L. Nielsen --BOKacYhQ+x31HxR3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+uBZW8kocFXgPTRwRAjKjAKCMkBxM9CP0+fmtxpMoQ2H6f4mnhQCfSkEW Rv9Hyzrr8WUChLe/xSLOxqw= =iKtp -----END PGP SIGNATURE----- --BOKacYhQ+x31HxR3-- From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 13:40:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 900A337B401; Tue, 6 May 2003 13:40:52 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 322F443F3F; Tue, 6 May 2003 13:40:52 -0700 (PDT) (envelope-from johan@FreeBSD.org) Received: from freefall.freebsd.org (johan@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46KeqUp071152; Tue, 6 May 2003 13:40:52 -0700 (PDT) (envelope-from johan@freefall.freebsd.org) Received: (from johan@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46KeqoX071148; Tue, 6 May 2003 13:40:52 -0700 (PDT) Date: Tue, 6 May 2003 13:40:52 -0700 (PDT) From: Johan Karlsson Message-Id: <200305062040.h46KeqoX071148@freefall.freebsd.org> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/48172: ipfw does not log size and flags X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 20:40:52 -0000 Synopsis: ipfw does not log size and flags Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 13:40:34 PDT 2003 Responsible-Changed-Why: Over to maintainer group. http://www.freebsd.org/cgi/query-pr.cgi?pr=48172 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 13:42:00 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 00A3837B40B; Tue, 6 May 2003 13:42:00 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 943CF43F3F; Tue, 6 May 2003 13:41:59 -0700 (PDT) (envelope-from johan@FreeBSD.org) Received: from freefall.freebsd.org (johan@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46KfxUp071224; Tue, 6 May 2003 13:41:59 -0700 (PDT) (envelope-from johan@freefall.freebsd.org) Received: (from johan@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46KfxKq071220; Tue, 6 May 2003 13:41:59 -0700 (PDT) Date: Tue, 6 May 2003 13:41:59 -0700 (PDT) From: Johan Karlsson Message-Id: <200305062041.h46KfxKq071220@freefall.freebsd.org> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/49086: [patch] Make ipfw2 log to different syslog priorities X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 20:42:00 -0000 Synopsis: [patch] Make ipfw2 log to different syslog priorities Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 13:41:39 PDT 2003 Responsible-Changed-Why: Over to maintainer group. http://www.freebsd.org/cgi/query-pr.cgi?pr=49086 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 13:43:03 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD58937B404; Tue, 6 May 2003 13:43:03 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7476F43F93; Tue, 6 May 2003 13:43:03 -0700 (PDT) (envelope-from johan@FreeBSD.org) Received: from freefall.freebsd.org (johan@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46Kh3Up071289; Tue, 6 May 2003 13:43:03 -0700 (PDT) (envelope-from johan@freefall.freebsd.org) Received: (from johan@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46Kh3Iw071285; Tue, 6 May 2003 13:43:03 -0700 (PDT) Date: Tue, 6 May 2003 13:43:03 -0700 (PDT) From: Johan Karlsson Message-Id: <200305062043.h46Kh3Iw071285@freefall.freebsd.org> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: bin/49959: ipfw tee port rule skips parsing next rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 20:43:04 -0000 Synopsis: ipfw tee port rule skips parsing next rules Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 13:42:48 PDT 2003 Responsible-Changed-Why: Over to maintainer group. http://www.freebsd.org/cgi/query-pr.cgi?pr=49959 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 13:46:37 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0ED5A37B401; Tue, 6 May 2003 13:46:37 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A15C443F85; Tue, 6 May 2003 13:46:36 -0700 (PDT) (envelope-from johan@FreeBSD.org) Received: from freefall.freebsd.org (johan@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46KkaUp071438; Tue, 6 May 2003 13:46:36 -0700 (PDT) (envelope-from johan@freefall.freebsd.org) Received: (from johan@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46Kkaqr071434; Tue, 6 May 2003 13:46:36 -0700 (PDT) Date: Tue, 6 May 2003 13:46:36 -0700 (PDT) From: Johan Karlsson Message-Id: <200305062046.h46Kkaqr071434@freefall.freebsd.org> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/51182: ipfw2. -d list shows couters for dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 20:46:37 -0000 Synopsis: ipfw2. -d list shows couters for dynamic rules Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 13:46:19 PDT 2003 Responsible-Changed-Why: Over to maintainer group. http://www.freebsd.org/cgi/query-pr.cgi?pr=51182 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 13:47:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A27337B404; Tue, 6 May 2003 13:47:17 -0700 (PDT) Received: from mx1.lublin.pl (mx1.lublin.pl [212.182.63.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F95443F93; Tue, 6 May 2003 13:47:15 -0700 (PDT) (envelope-from pawmal@unia.3lo.lublin.pl) Received: from proxy.zin.lublin.pl ([212.182.126.66]:24700 "EHLO towah-xp") by mx1.lublin.pl with ESMTP id ; Tue, 6 May 2003 22:47:04 +0200 From: "Pawel Malachowski" Organization: unidentified flying modems To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Date: Tue, 06 May 2003 22:47:21 +0200 MIME-Version: 1.0 Message-ID: <3EB83B79.16633.10E9496@localhost> Priority: normal X-mailer: Pegasus Mail for Windows (v4.02a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Subject: Re: kern/46564: IPFilter and IPFW processing order is not sensible> X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 20:47:17 -0000 Hello, Here is some example: (private IPs)LAN---(fxp1)BOX(fxp0)---Internet There are: . dummynet running on fxp0 . ipnat running on fxp0 Right now outgoing packets on fxp0 go through ipnat and then through dummynet. It is not possible to shape this traffic on per-user basis (for example with src-ip mask) cause after ipnatting all packets have the same source IP. Possible sollutions are: . use dummynet on fxp0 This is not so good idea if I have a huge number of local NICs and subnets cause I have to make exceptions (ipfw skip) for local traffic. It is very easy and natural to use dummynet on fxp0 interface for bandwith limitaion of `Internet' traffic. . use natd instead of ipnat Sucessfully tested, but I simply prefer ipnat. :) So, probably packets flow should be: incoming: IPFilter -> IPFW outgoing: IPFW -> IPFilter This code is `for private use' and is quite bad but does that (4.8): http://unia.3lo.lublin.pl/~pawmal/freebsd/ip_output-ipfw-ipf.diff I know submitter tried something similar on his own, too. However, allowing user to decide about order (using sysctls?) would be the best solution. regards, -- Pawel Malachowski From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 13:48:36 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07DC437B401; Tue, 6 May 2003 13:48:36 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EF1143F93; Tue, 6 May 2003 13:48:35 -0700 (PDT) (envelope-from johan@FreeBSD.org) Received: from freefall.freebsd.org (johan@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46KmZUp071509; Tue, 6 May 2003 13:48:35 -0700 (PDT) (envelope-from johan@freefall.freebsd.org) Received: (from johan@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46KmZ8w071505; Tue, 6 May 2003 13:48:35 -0700 (PDT) Date: Tue, 6 May 2003 13:48:35 -0700 (PDT) From: Johan Karlsson Message-Id: <200305062048.h46KmZ8w071505@freefall.freebsd.org> To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: bin/51750: ipfw2.c typos X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 20:48:36 -0000 Synopsis: ipfw2.c typos Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: johan Responsible-Changed-When: Tue May 6 13:48:16 PDT 2003 Responsible-Changed-Why: Over to maintainer group. http://www.freebsd.org/cgi/query-pr.cgi?pr=51750 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 14:10:18 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 385A537B401 for ; Tue, 6 May 2003 14:10:18 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0CC543F85 for ; Tue, 6 May 2003 14:10:17 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h46LAHUp075949 for ; Tue, 6 May 2003 14:10:17 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h46LAHjf075948; Tue, 6 May 2003 14:10:17 -0700 (PDT) Date: Tue, 6 May 2003 14:10:17 -0700 (PDT) Message-Id: <200305062110.h46LAHjf075948@freefall.freebsd.org> To: ipfw@FreeBSD.org From: Johan Karlsson Subject: Fwd: Re: kern/46564: IPFilter and IPFW processing order is not sensible> X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Johan Karlsson List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 May 2003 21:10:18 -0000 The following reply was made to PR kern/46564; it has been noted by GNATS. From: Johan Karlsson To: Bug followup Cc: Subject: Fwd: Re: kern/46564: IPFilter and IPFW processing order is not sensible> Date: Tue, 6 May 2003 23:09:41 +0200 Adding to the audit-trail. ----- Forwarded message from Pawel Malachowski ----- From: "Pawel Malachowski" To: johan@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/46564: IPFilter and IPFW processing order is not sensible> Date: Tue, 06 May 2003 22:47:21 +0200 Hello, Here is some example: (private IPs)LAN---(fxp1)BOX(fxp0)---Internet There are: . dummynet running on fxp0 . ipnat running on fxp0 Right now outgoing packets on fxp0 go through ipnat and then through dummynet. It is not possible to shape this traffic on per-user basis (for example with src-ip mask) cause after ipnatting all packets have the same source IP. Possible sollutions are: . use dummynet on fxp0 This is not so good idea if I have a huge number of local NICs and subnets cause I have to make exceptions (ipfw skip) for local traffic. It is very easy and natural to use dummynet on fxp0 interface for bandwith limitaion of `Internet' traffic. . use natd instead of ipnat Sucessfully tested, but I simply prefer ipnat. :) So, probably packets flow should be: incoming: IPFilter -> IPFW outgoing: IPFW -> IPFilter This code is `for private use' and is quite bad but does that (4.8): http://unia.3lo.lublin.pl/~pawmal/freebsd/ip_output-ipfw-ipf.diff I know submitter tried something similar on his own, too. However, allowing user to decide about order (using sysctls?) would be the best solution. regards, -- Pawel Malachowski ----- End forwarded message ----- -- Johan Karlsson mailto:johan@FreeBSD.org From owner-freebsd-ipfw@FreeBSD.ORG Tue May 6 23:48:37 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E73537B401 for ; Tue, 6 May 2003 23:48:37 -0700 (PDT) Received: from mx1.dev.itouchnet.net (itouchlabs.com [196.15.188.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id ABAE943FA3 for ; Tue, 6 May 2003 23:48:32 -0700 (PDT) (envelope-from bvi@itouchlabs.com) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.35 #1) id 19DImh-0005zW-00 for ipfw@freebsd.org; Wed, 07 May 2003 08:52:11 +0200 X-TLS: TLSv1:RC4-MD5:128 itouchlabs.com -> mx1.dev.itouchnet.net Received: from itouchlabs.com ([196.15.188.2] helo=Beastie) by mx1.dev.itouchnet.net with esmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 19DImg-0005zE-00; Wed, 07 May 2003 08:52:10 +0200 Message-ID: <01b201c31464$6f16b4b0$4508a8c0@Beastie> From: "Barry Irwin" To: "Daniela" , References: <200305062208.06242.dgw@liwest.at> Date: Wed, 7 May 2003 08:46:16 +0200 Organization: iTouch Labs MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 23028-1052290330-29832@unconfigured version $Name: REL_2_0_4 $ Subject: Re: Allow all traffic for a specific process X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2003 06:48:37 -0000 Morning One solution may be to run the process as a specific user, and allow all traffic to/from that user ? Have a look in the man page for details on using uid and gid for matching traffic. Barry -- Barry Irwin bvi@itouchlabs.com Tel: +27214875178 Systems Administrator: Networks And Security iTouch Technology iTouch TAS http://www.itouchlabs.com Mobile: +27824457210 ----- Original Message ----- From: "Daniela" To: Sent: Wednesday, May 07, 2003 12:08 AM Subject: Allow all traffic for a specific process > Hi all! > > Does IPFW have a feature to pass all traffic destined for ports a specific > process has opened? > The process opens many rapidly changing dynamic ports, UDP and TCP, so the > keep-state rules are useless most of the time. > > If this is not possible, would it be easy to implement? > I'm still a newbie, but if it's not too hard, I think I can do it. > > Regards, > Daniela > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > From owner-freebsd-ipfw@FreeBSD.ORG Wed May 7 07:29:06 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D8FC37B401 for ; Wed, 7 May 2003 07:29:06 -0700 (PDT) Received: from lilzcluster.liwest.at (lilzclust01.liwest.at [212.33.55.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 868E343F93 for ; Wed, 7 May 2003 07:29:04 -0700 (PDT) (envelope-from dgw@liwest.at) Received: from cm58-27.liwest.at by lilzcluster.liwest.at (8.10.2/1.1.2.11/08Jun01-1123AM) id h47ESsR0000709395; Wed, 7 May 2003 16:28:55 +0200 (MEST) From: Daniela To: "Barry Irwin" , Date: Wed, 7 May 2003 16:29:17 +0000 User-Agent: KMail/1.5.1 References: <200305062208.06242.dgw@liwest.at> <01b201c31464$6f16b4b0$4508a8c0@Beastie> In-Reply-To: <01b201c31464$6f16b4b0$4508a8c0@Beastie> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305071629.17103.dgw@liwest.at> Subject: Re: Allow all traffic for a specific process X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2003 14:29:06 -0000 On Wednesday 07 May 2003 06:46, Barry Irwin wrote: > Morning > > One solution may be to run the process as a specific user, and allow all > traffic to/from that user ? > > Have a look in the man page for details on using uid and gid for matching > traffic. Thanks, that would be a good idea, but the process needs to access files in my home directory. I don't want my files to be writable by others. How do I do that? If there's no other way, I'll play around with the IPFW source to add an option. Or would that be too difficult for a newbie? Daniela From owner-freebsd-ipfw@FreeBSD.ORG Wed May 7 08:17:09 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED30B37B404 for ; Wed, 7 May 2003 08:17:09 -0700 (PDT) Received: from mail.alberti-datentechnik.de (mail.alberti-datentechnik.de [62.146.91.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D5B643F75 for ; Wed, 7 May 2003 08:17:08 -0700 (PDT) (envelope-from nowhere@phobgate.de) Received: from df20451cdd5c43f (localhost [127.0.0.1])h46KWFX25911; Tue, 6 May 2003 22:32:15 +0200 From: alex To: Daniela , ipfw@FreeBSD.org Message-ID: <130328252.957652342@[192.168.2.94]> In-Reply-To: <200305062208.06242.dgw@liwest.at> References: <200305062208.06242.dgw@liwest.at> X-Mailer: Mulberry/2.2.1 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Re: Allow all traffic for a specific process X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: alex List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Wed, 07 May 2003 15:17:10 -0000 X-Original-Date: Sat, 06 May 2000 22:32:22 +0200 X-List-Received-Date: Wed, 07 May 2003 15:17:10 -0000 run process under own user and/or group id, then use ipfw rule with uid and/or gid option ipfw manual says: uid user Match all TCP or UDP packets sent by or received for a user. A user may be matched by name or identification number. gid group Match all TCP or UDP packets sent by or received for a group. A group may be matched by name or identification number. i've used this options for shell accounts to share bandwith between users --On Dienstag, 6. Mai 2003 22:08 +0000 Daniela wrote: > Hi all! > > Does IPFW have a feature to pass all traffic destined for ports a > specific process has opened? > The process opens many rapidly changing dynamic ports, UDP and TCP, so > the keep-state rules are useless most of the time. > > If this is not possible, would it be easy to implement? > I'm still a newbie, but if it's not too hard, I think I can do it. > > Regards, > Daniela > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed May 7 23:31:03 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BCE9137B401 for ; Wed, 7 May 2003 23:31:03 -0700 (PDT) Received: from mx1.dev.itouchnet.net (itouchlabs.com [196.15.188.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75AA943F3F for ; Wed, 7 May 2003 23:31:02 -0700 (PDT) (envelope-from bvi@itouchlabs.com) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.35 #1) id 19DezN-000P6Z-00 for ipfw@freebsd.org; Thu, 08 May 2003 08:34:45 +0200 X-TLS: TLSv1:RC4-MD5:128 itouchlabs.com -> mx1.dev.itouchnet.net Received: from itouchlabs.com ([196.15.188.2] helo=Beastie) by mx1.dev.itouchnet.net with esmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 19DezN-000P6H-00; Thu, 08 May 2003 08:34:45 +0200 Message-ID: <003a01c3152b$2810c2f0$4508a8c0@Beastie> From: "Barry Irwin" To: "Daniela" , References: <200305062208.06242.dgw@liwest.at> <01b201c31464$6f16b4b0$4508a8c0@Beastie> <200305071629.17103.dgw@liwest.at> Date: Thu, 8 May 2003 08:28:17 +0200 Organization: iTouch Labs MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 96501-1052375685-97972@unconfigured version $Name: REL_2_0_4 $ Subject: Re: Allow all traffic for a specific process X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 06:31:04 -0000 ----- Original Message ----- From: "Daniela" To: "Barry Irwin" ; Sent: Wednesday, May 07, 2003 6:29 PM Subject: Re: Allow all traffic for a specific process > Thanks, that would be a good idea, but the process needs to access files in my > home directory. > I don't want my files to be writable by others. > How do I do that? The files just need to be readable by the GID that the process runs as, not writable. Barry -- Barry Irwin bvi@itouchlabs.com Tel: +27214875178 Systems Administrator: Networks And Security iTouch Technology iTouch TAS http://www.itouchlabs.com Mobile: +27824457210 From owner-freebsd-ipfw@FreeBSD.ORG Thu May 8 10:51:09 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 063BE37B401 for ; Thu, 8 May 2003 10:51:09 -0700 (PDT) Received: from lilzcluster.liwest.at (lilzclust02.liwest.at [212.33.55.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 69B2143F75 for ; Thu, 8 May 2003 10:51:07 -0700 (PDT) (envelope-from dgw@liwest.at) Received: from cm58-27.liwest.at by lilzcluster.liwest.at (8.10.2/1.1.2.11/08Jun01-1123AM) id h48Hoxl0001299371; Thu, 8 May 2003 19:50:59 +0200 (MEST) From: Daniela To: "Barry Irwin" , Date: Thu, 8 May 2003 19:51:35 +0000 User-Agent: KMail/1.5.1 References: <200305062208.06242.dgw@liwest.at> <200305071629.17103.dgw@liwest.at> <003a01c3152b$2810c2f0$4508a8c0@Beastie> In-Reply-To: <003a01c3152b$2810c2f0$4508a8c0@Beastie> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305081951.35493.dgw@liwest.at> Subject: Re: Allow all traffic for a specific process X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 17:51:09 -0000 On Thursday 08 May 2003 06:28, Barry Irwin wrote: > ----- Original Message ----- > From: "Daniela" > To: "Barry Irwin" ; > Sent: Wednesday, May 07, 2003 6:29 PM > Subject: Re: Allow all traffic for a specific process > > > Thanks, that would be a good idea, but the process needs to access files > > in my > > > home directory. > > I don't want my files to be writable by others. > > How do I do that? > > The files just need to be readable by the GID that the process runs as, not > writable. I mean, I don't want my files to be readable and writable by anyone else. The process creates and writes the files, so it needs write access. Daniela From owner-freebsd-ipfw@FreeBSD.ORG Thu May 8 16:23:01 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C053E37B401 for ; Thu, 8 May 2003 16:23:01 -0700 (PDT) Received: from forrie.ne.client2.attbi.com (forrie.ne.client2.attbi.com [24.147.156.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B1AE43F75 for ; Thu, 8 May 2003 16:22:57 -0700 (PDT) (envelope-from forrie@forrie.com) Received: from workstation.forrie.com (workstation.forrie.net. [192.168.1.21]) by forrie.ne.client2.attbi.com with id h48NMJc46604 for ; Thu, 8 May 2003 19:22:29 -0400 (EDT) Message-Id: <5.2.1.1.2.20030508192050.01bfd150@192.168.1.1> X-Sender: forrie@192.168.1.1 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.1 Date: Thu, 08 May 2003 19:22:18 -0400 To: freebsd-ipfw@freebsd.org From: Forrest Aldrich Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-RAVMilter-Version: 8.3.0(snapshot 20010925) (forrie.ne.client2.attbi.com) X-MailScanner: Found to be clean Subject: Traffic Shaping with IPFW question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 23:23:02 -0000 Is it possible to shape traffic (limit consumption) from specific ip ranges? For example, I have some files that are usually pulled down from one customer - when they do this, it eats up a lot of traffic - if I could limit the bandwidth from my site TO theirs, it would be better and wouldn't interfere with other operations going over the interface. I tried looking for a "howto" on this... Thanks. From owner-freebsd-ipfw@FreeBSD.ORG Thu May 8 16:27:28 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73F6737B405 for ; Thu, 8 May 2003 16:27:28 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8522743F85 for ; Thu, 8 May 2003 16:27:27 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id F06A010BF84; Fri, 9 May 2003 01:27:25 +0200 (CEST) Date: Fri, 9 May 2003 01:27:25 +0200 From: "Simon L. Nielsen" To: Forrest Aldrich Message-ID: <20030508232725.GB4639@nitro.dk> References: <5.2.1.1.2.20030508192050.01bfd150@192.168.1.1> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3lcZGd9BuhuYXNfi" Content-Disposition: inline In-Reply-To: <5.2.1.1.2.20030508192050.01bfd150@192.168.1.1> User-Agent: Mutt/1.5.4i cc: freebsd-ipfw@freebsd.org Subject: Re: Traffic Shaping with IPFW question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 23:27:28 -0000 --3lcZGd9BuhuYXNfi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.05.08 19:22:18 -0400, Forrest Aldrich wrote: > Is it possible to shape traffic (limit consumption) from specific ip rang= es? >=20 > For example, I have some files that are usually pulled down from one=20 > customer - when they do this, it eats up a lot of traffic - if I could=20 > limit the bandwidth from my site TO theirs, it would be better and wouldn= 't=20 > interfere with other operations going over the interface. >=20 > I tried looking for a "howto" on this... Look at dummynet(4) and ipfw(8). --=20 Simon L. Nielsen --3lcZGd9BuhuYXNfi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+uufd8kocFXgPTRwRApBoAJ9mHcwhQNKhRFyVEm83w+F0FveWIgCeOfhG lX2y2mhaqoi0R/TbvCmAQMo= =DMXE -----END PGP SIGNATURE----- --3lcZGd9BuhuYXNfi-- From owner-freebsd-ipfw@FreeBSD.ORG Fri May 9 02:27:19 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90EF537B401 for ; Fri, 9 May 2003 02:27:19 -0700 (PDT) Received: from mail2.netinfo.bg (mail2.netinfo.bg [194.153.145.72]) by mx1.FreeBSD.org (Postfix) with SMTP id 3C2E643FAF for ; Fri, 9 May 2003 02:27:12 -0700 (PDT) (envelope-from eivanov@abv.bg) Received: (qmail 26221 invoked from network); 9 May 2003 09:27:13 -0000 Received: from app1.ni.bg (HELO webmail.gyuvetch.bg) (192.168.151.15) by newdesign.ni.bg with SMTP; 9 May 2003 09:27:13 -0000 Received: (qmail 23610 invoked from network); 9 May 2003 09:29:38 -0000 Received: from app1.ni.bg (192.168.151.15) by 0 with SMTP; 9 May 2003 09:29:38 -0000 Message-ID: <882655426.1052472578528.JavaMail.nobody@app1.ni.bg> Date: Fri, 9 May 2003 12:29:38 +0300 (EEST) From: Evgeny Ivanov To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Mailer: abvmail X-Originating-IP: 217.18.241.10 Subject: Counting rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 09:27:19 -0000 Hello everyone , I have a problem setting up the accounting rules . I want to account all incoming and outgoing traffic per each of the stations that are behind NAT box . The situtaion is something like this : add divert natd all from any to any via rl0 add allow all from any to any add count from 192.168.1.10 to any out add count from any to 192.168.1.10 in And the last two rues not working . Can you please tell me what the hell I am missing ? :)) Thanks in advance ----------------------------------------------------------------- http://www.MURA.bg - Ãìóðíè ñå â èãðàòà! From owner-freebsd-ipfw@FreeBSD.ORG Fri May 9 02:30:13 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E9A6C37B401 for ; Fri, 9 May 2003 02:30:13 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9826543FB1 for ; Fri, 9 May 2003 02:30:13 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h499UDUp027214 for ; Fri, 9 May 2003 02:30:13 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h499UDLr027213; Fri, 9 May 2003 02:30:13 -0700 (PDT) Date: Fri, 9 May 2003 02:30:13 -0700 (PDT) Message-Id: <200305090930.h499UDLr027213@freefall.freebsd.org> To: ipfw@FreeBSD.org From: "Simon L. Nielsen" Subject: Re: bin/47120: [patch] Sanity check in ipfw(8) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Simon L. Nielsen" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 09:30:14 -0000 The following reply was made to PR bin/47120; it has been noted by GNATS. From: "Simon L. Nielsen" To: freebsd-gnats-submit@FreeBSD.org Cc: Subject: Re: bin/47120: [patch] Sanity check in ipfw(8) Date: Fri, 9 May 2003 11:22:17 +0200 --azLHFNyN32YCQGCU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello This PR can be closed since it is only a half bandaid and there is still a million other ways to shot oneself in the foot by doing "stupid" things with ipfw. This was discussed with Luigi Rizzo on the freebsd-ipfw mailing list (in janurary AFAIR) - I just forgot about the PR again. --=20 Simon L. Nielsen --azLHFNyN32YCQGCU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+u3NI8kocFXgPTRwRAoi7AKCUWj+onefi+7WfRWXMH9x6MCfCPwCgr/Q+ ZymHBpZO5ZxZoYEtBbZ0S7I= =DM2A -----END PGP SIGNATURE----- --azLHFNyN32YCQGCU-- From owner-freebsd-ipfw@FreeBSD.ORG Fri May 9 03:15:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB26237B401 for ; Fri, 9 May 2003 03:15:17 -0700 (PDT) Received: from genua.rfc-networks.ie (genua.rfc-networks.ie [62.77.182.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 143E943F3F for ; Fri, 9 May 2003 03:15:17 -0700 (PDT) (envelope-from philip.reynolds@rfc-networks.ie) Received: from tear.domain (unknown [10.0.1.254]) by genua.rfc-networks.ie (Postfix) with ESMTP id 04D4254ECD for ; Fri, 9 May 2003 11:15:15 +0100 (IST) Received: by tear.domain (Postfix, from userid 1000) id 6F1ED21150; Fri, 9 May 2003 10:15:15 +0000 (GMT) Date: Fri, 9 May 2003 10:15:15 +0000 From: Philip Reynolds To: freebsd-ipfw@freebsd.org Message-ID: <20030509101515.GA5791@rfc-networks.ie> References: <882655426.1052472578528.JavaMail.nobody@app1.ni.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <882655426.1052472578528.JavaMail.nobody@app1.ni.bg> X-Operating-System: FreeBSD 4.7-STABLE X-URL: http://www.rfc-networks.ie Subject: Re: Counting rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: philip.reynolds@rfc-networks.ie List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 10:15:18 -0000 Evgeny Ivanov 25 lines of wisdom included: > > Hello everyone , > I have a problem setting up the accounting rules . > I want to account all incoming and outgoing traffic per each of the stations that are behind NAT box . The situtaion is something like this : > > add divert natd all from any to any via rl0 > add allow all from any to any > add count from 192.168.1.10 to any out > add count from any to 192.168.1.10 in > > And the last two rues not working . > > Can you please tell me what the hell I am missing ? :)) the count rules are in the wrong place. Remember the following: The divert rules converts INTERNAL (i.e. 192.168.0.0/24) to EXTERNAL (i.e. some.ip) You need the following wrapped around your divert natd rule. ipfw add 1000 count ip from ${HOST} to not ${INTERNAL} via rl0 out ipfw add 2000 divert natd all from any to any via rl0 ipfw add 3000 count ip from not ${INTERNAL} to ${HOST} via rl0 in The first rule counts packets going OUT through the external interface (``rl0'') to an external network (i.e. not the internal network) from the host. This has to match before the packet is NAT'd (or rewritten) because the source address is going to change once that happens. Remember, on your NAT interface, traffic leaving for an external network is rewritten, so rules applying to internal hosts must be before the NAT translation. The second rule is your divert natd rule (with an explicit rule number) The third rule is your count rule, matching packets from the external network (once again, this is defined as not the internal network) to your host coming in through rl0. I made an assumption that you only want to match packets that leave your external network, that may not be true, in which case you would change the "not ${INTERNAL}" of rule 1000 and 3000 to "any" -- Philip Reynolds | RFC Networks Ltd. philip.reynolds@rfc-networks.ie | +353 (0)1 8832063 http://people.rfc-networks.ie/~phil | www.rfc-networks.ie From owner-freebsd-ipfw@FreeBSD.ORG Fri May 9 03:36:05 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C2A637B404 for ; Fri, 9 May 2003 03:36:05 -0700 (PDT) Received: from park.rambler.ru (park.rambler.ru [81.19.64.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A0B643FBD for ; Fri, 9 May 2003 03:36:03 -0700 (PDT) (envelope-from kaa@rambler-co.ru) Received: from park (park [81.19.64.101]) by park.rambler.ru (8.12.6/8.12.6) with ESMTP id h49AZrmF059392; Fri, 9 May 2003 14:35:53 +0400 (MSD) Date: Fri, 9 May 2003 14:35:53 +0400 (MSD) From: Andrew Kopeyko X-X-Sender: kaa@park.rambler.ru To: freebsd-ipfw@freebsd.org In-Reply-To: <882655426.1052472578528.JavaMail.nobody@app1.ni.bg> Message-ID: <20030509142600.D49934@park.rambler.ru> References: <882655426.1052472578528.JavaMail.nobody@app1.ni.bg> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Evgeny Ivanov Subject: Re: Counting rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 10:36:05 -0000 On Fri, 9 May 2003, Evgeny Ivanov wrote: > > Hello everyone , > I have a problem setting up the accounting rules . > I want to account all incoming and outgoing traffic per each of the stations that are behind NAT box . The situtaion is something like this : > > add divert natd all from any to any via rl0 > add allow all from any to any > add count from 192.168.1.10 to any out > add count from any to 192.168.1.10 in > > And the last two rues not working . > > Can you please tell me what the hell I am missing ? :)) Have you read ``man ipfw'' ??? IMHO - you don't... In 2 words - ipfw uses 'first rule match' ideology - vice versa to ipfilter's "last match". So, all your traffic is matched by rules 1 & 2. If 192.168.1.0/24 is your internal NAT'ed network - move `count' rules to the beginning - and you will have enought time to read manpage. -- Best regards, Andrew Kopeyko Head of NOC Rambler Co. http://www.rambler.ru/ phone : +7 095 745-3619 From owner-freebsd-ipfw@FreeBSD.ORG Fri May 9 07:34:41 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1615237B401 for ; Fri, 9 May 2003 07:34:41 -0700 (PDT) Received: from genua.rfc-networks.ie (genua.rfc-networks.ie [62.77.182.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6557043F93 for ; Fri, 9 May 2003 07:34:40 -0700 (PDT) (envelope-from philip.reynolds@rfc-networks.ie) Received: from tear.domain (unknown [10.0.1.254]) by genua.rfc-networks.ie (Postfix) with ESMTP id 8050154E7B for ; Fri, 9 May 2003 15:34:39 +0100 (IST) Received: by tear.domain (Postfix, from userid 1000) id 6C99A21150; Fri, 9 May 2003 14:34:38 +0000 (GMT) Date: Fri, 9 May 2003 14:34:38 +0000 From: Philip Reynolds To: freebsd-ipfw@freebsd.org Message-ID: <20030509143438.GD5791@rfc-networks.ie> References: <1460797014.1052475891424.JavaMail.nobody@storage.ni.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1460797014.1052475891424.JavaMail.nobody@storage.ni.bg> X-Operating-System: FreeBSD 4.7-STABLE X-URL: http://www.rfc-networks.ie Subject: Re: Counting rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: philip.reynolds@rfc-networks.ie List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 14:34:41 -0000 Evgeny Ivanov 11 lines of wisdom included: > > I may have not explain my needs exacly . The isuue is : I have > 15 machines that are standing behind FBSD NAT BOX and trought > they are all connected to the Inet . Because our link to the Inet > is traffic limited and sensitive I want to know traffic on/out > per IP . Is that possible if I have NAT working or not . Thanks > in advance oncxe more Hi Evgeny, Yes it is. I thought I gave you the commands to do it. What exactly didn't you understand from my last mail? Kind Regards, -- Philip Reynolds | RFC Networks Ltd. philip.reynolds@rfc-networks.ie | +353 (0)1 8832063 http://people.rfc-networks.ie/~phil | www.rfc-networks.ie From owner-freebsd-ipfw@FreeBSD.ORG Fri May 9 08:01:22 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3F3F37B401 for ; Fri, 9 May 2003 08:01:22 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 3204D43F93 for ; Fri, 9 May 2003 08:01:20 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 99890 invoked from network); 9 May 2003 15:01:18 -0000 Received: from queequeg.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 9 May 2003 15:01:18 -0000 Message-ID: <3EBBC2BE.6030802@tenebras.com> Date: Fri, 09 May 2003 08:01:18 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3) Gecko/20030312 X-Accept-Language: en-us, en, zh-cn, zh-tw MIME-Version: 1.0 To: Evgeny Ivanov References: <882655426.1052472578528.JavaMail.nobody@app1.ni.bg> In-Reply-To: <882655426.1052472578528.JavaMail.nobody@app1.ni.bg> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: Counting rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 15:01:23 -0000 Evgeny Ivanov wrote: > Hello everyone , > I have a problem setting up the accounting rules . > I want to account all incoming and outgoing traffic per each of the stations that are behind NAT box . The situtaion is something like this : > > add divert natd all from any to any via rl0 > add allow all from any to any > add count from 192.168.1.10 to any out > add count from any to 192.168.1.10 in > > And the last two rues not working . > > Can you please tell me what the hell I am missing ? :)) Just the basics. ;-) rule processing terminates with "allow" so subsequent rules aren't reached From owner-freebsd-ipfw@FreeBSD.ORG Fri May 9 09:04:04 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1699137B401 for ; Fri, 9 May 2003 09:04:04 -0700 (PDT) Received: from genua.rfc-networks.ie (genua.rfc-networks.ie [62.77.182.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C14F43F85 for ; Fri, 9 May 2003 09:04:03 -0700 (PDT) (envelope-from philip.reynolds@rfc-networks.ie) Received: from tear.domain (unknown [10.0.1.254]) by genua.rfc-networks.ie (Postfix) with ESMTP id 4804154F5C for ; Fri, 9 May 2003 17:04:02 +0100 (IST) Received: by tear.domain (Postfix, from userid 1000) id 0EB0721150; Fri, 9 May 2003 16:04:01 +0000 (GMT) Date: Fri, 9 May 2003 16:04:01 +0000 From: Philip Reynolds To: freebsd-ipfw@freebsd.org Message-ID: <20030509160401.GA5244@rfc-networks.ie> References: <200305062208.06242.dgw@liwest.at> <200305071629.17103.dgw@liwest.at> <003a01c3152b$2810c2f0$4508a8c0@Beastie> <200305081951.35493.dgw@liwest.at> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200305081951.35493.dgw@liwest.at> X-Operating-System: FreeBSD 4.7-STABLE X-URL: http://www.rfc-networks.ie Subject: Re: Allow all traffic for a specific process X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: philip.reynolds@rfc-networks.ie List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 16:04:04 -0000 Daniela 29 lines of wisdom included: > > > home directory. > > > I don't want my files to be writable by others. > > > How do I do that? > > > > The files just need to be readable by the GID that the process runs as, not > > writable. > > > I mean, I don't want my files to be readable and writable by anyone else. > The process creates and writes the files, so it needs write access. Run the process as a separate user. Create a group, and add yourself and the user that the process is running under to that group. Make the directory under your home directory writeable by your group (chmod g+rw /path/to/dir) Set the appropiate umask(2) or use chmod(2) to create the appropiate permissions on the files. -- Philip Reynolds | RFC Networks Ltd. philip.reynolds@rfc-networks.ie | +353 (0)1 8832063 http://people.rfc-networks.ie/~phil | www.rfc-networks.ie From owner-freebsd-ipfw@FreeBSD.ORG Fri May 9 14:14:11 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EDBA37B401 for ; Fri, 9 May 2003 14:14:11 -0700 (PDT) Received: from lilzcluster.liwest.at (lilzclust02.liwest.at [212.33.55.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0EB043F85 for ; Fri, 9 May 2003 14:14:09 -0700 (PDT) (envelope-from dgw@liwest.at) Received: from cm58-27.liwest.at by lilzcluster.liwest.at (8.10.2/1.1.2.11/08Jun01-1123AM) id h49LE5R0001242717; Fri, 9 May 2003 23:14:06 +0200 (MEST) From: Daniela To: philip.reynolds@rfc-networks.ie, freebsd-ipfw@freebsd.org Date: Fri, 9 May 2003 23:14:56 +0000 User-Agent: KMail/1.5.1 References: <200305062208.06242.dgw@liwest.at> <200305081951.35493.dgw@liwest.at> <20030509160401.GA5244@rfc-networks.ie> In-Reply-To: <20030509160401.GA5244@rfc-networks.ie> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305092314.56916.dgw@liwest.at> Subject: Re: Allow all traffic for a specific process X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 May 2003 21:14:11 -0000 On Friday 09 May 2003 16:04, Philip Reynolds wrote: > Run the process as a separate user. > > Create a group, and add yourself and the user that the process is > running under to that group. > > Make the directory under your home directory writeable by your group > (chmod g+rw /path/to/dir) > > Set the appropiate umask(2) or use chmod(2) to create the appropiate > permissions on the files. I created a new user and a new group, added myself to the group and set the appropiate permissions, but now it comes to my mind that I can't cd into my home directory from the new account. This could be solved by changing my login group, but I can't do that. I would have to change too many things in my system. Well, it can't be wrong to give IPFW a new option. I'll implement it in ASM. :-) No, ASM would be too extreme. Daniela From owner-freebsd-ipfw@FreeBSD.ORG Fri May 9 23:50:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD9A937B404 for ; Fri, 9 May 2003 23:50:17 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4132443F85 for ; Fri, 9 May 2003 23:50:17 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h4A6oHUp087236 for ; Fri, 9 May 2003 23:50:17 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h4A6oHKQ087235; Fri, 9 May 2003 23:50:17 -0700 (PDT) Date: Fri, 9 May 2003 23:50:17 -0700 (PDT) Message-Id: <200305100650.h4A6oHKQ087235@freefall.freebsd.org> To: ipfw@FreeBSD.org From: "Ted Mittelstaedt" Subject: Re: kern/51485: "Fatal trap 12" from bridge code with ipfw enabled, when passing a traceroute. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Ted Mittelstaedt List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 06:50:18 -0000 The following reply was made to PR kern/51485; it has been noted by GNATS. From: "Ted Mittelstaedt" To: , Cc: Subject: Re: kern/51485: "Fatal trap 12" from bridge code with ipfw enabled, when passing a traceroute. Date: Fri, 9 May 2003 23:47:05 -0700 Can you try replacing the 3c905 card with a better card such as an Intel Pro 100 and see if the problem keeps happening? Ted Mittelstaedt tedm@toybox.placo.com