From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 16 02:45:33 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6679F37B401; Mon, 16 Jun 2003 02:45:33 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id F303143FAF; Mon, 16 Jun 2003 02:45:32 -0700 (PDT) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (maxim@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h5G9jWUp088635; Mon, 16 Jun 2003 02:45:32 -0700 (PDT) (envelope-from maxim@freefall.freebsd.org) Received: (from maxim@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h5G9jWWC088631; Mon, 16 Jun 2003 02:45:32 -0700 (PDT) Date: Mon, 16 Jun 2003 02:45:32 -0700 (PDT) From: Maxim Konovalov Message-Id: <200306160945.h5G9jWWC088631@freefall.freebsd.org> To: vd@datamax.bg, maxim@FreeBSD.org, ipfw@FreeBSD.org, maxim@FreeBSD.org Subject: Re: bin/51750: ipfw2.c typos X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 09:45:33 -0000 Synopsis: ipfw2.c typos State-Changed-From-To: open->patched State-Changed-By: maxim State-Changed-When: Mon Jun 16 02:45:02 PDT 2003 State-Changed-Why: Fixed in -CURRENT, thanks! Responsible-Changed-From-To: ipfw->maxim Responsible-Changed-By: maxim Responsible-Changed-When: Mon Jun 16 02:45:02 PDT 2003 Responsible-Changed-Why: MFC reminder. http://www.freebsd.org/cgi/query-pr.cgi?pr=51750 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 16 06:55:25 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B67E637B401 for ; Mon, 16 Jun 2003 06:55:25 -0700 (PDT) Received: from bes.amduat.net (bes.amduat.net [206.124.149.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07CB243FDF for ; Mon, 16 Jun 2003 06:55:25 -0700 (PDT) (envelope-from jbarrett@amduat.net) Received: from amduat.net (osiris.amduat.net [10.0.0.69]) (IDENT: trilluser, AUTH: LOGIN jbarrett) by bes.amduat.net with esmtp; Mon, 16 Jun 2003 06:55:24 -0700 Message-ID: <3EEDCB2F.6080107@amduat.net> Date: Mon, 16 Jun 2003 06:50:39 -0700 From: "Jacob S. Barrett" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfw2 timestamp patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 13:55:26 -0000 I have a need for the raw timestamp and have written a patch against ipfw2.c to have it return it. It adds an option 'T' which will display the time stamp value without converting it via ctime. I use this for scripting ipfw output where I need the timestamp. It was just becoming a hassle to covert the string back into a usable value. So I just modified ipfw2.c (I suppose the same can be done with ipfw.c) to not convert it. Anyway, I was hoping maybe this patch could find it's way into the ipfw sources so I don't have to patch it all the time. I think it is pretty useful. This patch was taken against RELENG_4_8. --- ipfw2.c.orig Mon Jun 16 06:21:26 2003 +++ ipfw2.c Mon Jun 16 06:25:14 2003 @@ -58,6 +58,7 @@ do_resolv, /* Would try to resolve all */ do_acct, /* Show packet/byte count */ do_time, /* Show time stamps */ + do_timestamp, /* Show time stamps in seconds*/ do_quiet, /* Be quiet in add and flush */ do_force, /* Don't ask for confirmation */ do_pipe, /* this cmd refers to a pipe */ @@ -824,6 +825,9 @@ if (do_acct) printf("%10qu %10qu ", rule->pcnt, rule->bcnt); + if (do_timestamp) + printf("%10lu ", rule->timestamp); + if (do_time) { char timestr[30]; @@ -3344,7 +3348,7 @@ do_force = !isatty(STDIN_FILENO); optind = optreset = 1; - while ((ch = getopt(ac, av, "hs:acdefNqStv")) != -1) + while ((ch = getopt(ac, av, "hs:acdefNqStTv")) != -1) switch (ch) { case 'h': /* help */ help(); @@ -3379,6 +3383,9 @@ break; case 't': do_time = 1; + break; + case 'T': + do_timestamp = 1; break; case 'v': /* verbose */ verbose++; -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 16 08:22:02 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBE9737B401 for ; Mon, 16 Jun 2003 08:22:02 -0700 (PDT) Received: from goliath.cnchost.com (goliath.cnchost.com [207.155.252.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35A0B43FE9 for ; Mon, 16 Jun 2003 08:22:02 -0700 (PDT) (envelope-from sahafeez@edgefocus.com) Received: from edgefocus.com ([12.106.69.222]) by goliath.cnchost.com id LAA03069; Mon, 16 Jun 2003 11:22:01 -0400 (EDT) [ConcentricHost SMTP Relay 1.15] Errors-To: Message-ID: <3EEDE099.9080603@edgefocus.com> Date: Mon, 16 Jun 2003 08:22:01 -0700 From: Sean Hafeez Organization: EdgeFocus, Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfw, dummynet and a large subnet to shape X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sahafeez@edgefocus.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 15:22:03 -0000 i have been reading thru all the links on google and the man pages and facts and have come to realize that the information is quite - not right. here is what i need to do: i have a network - 10.0.0.0/22 that is nat'd. the external interface is rl0 and the internal is rl1. i want everyone shaped to 1024kbits/s. when i say everyone i mean each unique user (ie, 10.0.0.23 or 10.0.1.77 or 10.0.2.32) to be limited to a total of 1024kbits/s down and up. here is what i got. ipfw -f flush /sbin/natd -interface rl0 ipfw add 999 divert natd all from any to any via rl0 ipfw add pipe 1 ip from any to any in via rl1 ipfw add pipe 2 ip from any to any in via rl0 ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s i have add: net.inet.ip.fw.one_pass=0 net.inet.ip.dummynet.hash_size=256 net.inet.ip.dummynet.max_chain_len=64 to sysctl.conf. does not seem to be working right. have i got this wrong? thanks! From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 16 08:56:36 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F2C337B401 for ; Mon, 16 Jun 2003 08:56:36 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF42243F93 for ; Mon, 16 Jun 2003 08:56:35 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h5GFuCQg034038; Mon, 16 Jun 2003 08:56:12 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h5GFuCrc034037; Mon, 16 Jun 2003 08:56:12 -0700 (PDT) (envelope-from rizzo) Date: Mon, 16 Jun 2003 08:56:12 -0700 From: Luigi Rizzo To: Sean Hafeez Message-ID: <20030616085612.C33619@xorpc.icir.org> References: <3EEDE099.9080603@edgefocus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3EEDE099.9080603@edgefocus.com>; from sahafeez@edgefocus.com on Mon, Jun 16, 2003 at 08:22:01AM -0700 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw, dummynet and a large subnet to shape X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 15:56:36 -0000 you need to do pass packets through the pipe before the 'divert' from outgoing traffic, and _after_ the divert for incoming. cheers luigi On Mon, Jun 16, 2003 at 08:22:01AM -0700, Sean Hafeez wrote: > i have been reading thru all the links on google and the man pages and > facts and have come to realize that the information is quite - not > right. > > here is what i need to do: > > i have a network - 10.0.0.0/22 that is nat'd. the external interface > is rl0 and the internal is rl1. i want everyone shaped to 1024kbits/s. > when i say everyone i mean each unique user (ie, 10.0.0.23 or > 10.0.1.77 or 10.0.2.32) to be limited to a total of 1024kbits/s down > and up. > > here is what i got. > > ipfw -f flush > /sbin/natd -interface rl0 > ipfw add 999 divert natd all from any to any via rl0 > ipfw add pipe 1 ip from any to any in via rl1 > ipfw add pipe 2 ip from any to any in via rl0 > ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s > ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s > > i have add: > > net.inet.ip.fw.one_pass=0 > net.inet.ip.dummynet.hash_size=256 > net.inet.ip.dummynet.max_chain_len=64 > > to sysctl.conf. > > does not seem to be working right. have i got this wrong? > > thanks! > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 16 08:59:00 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A8C837B401 for ; Mon, 16 Jun 2003 08:59:00 -0700 (PDT) Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5163643FA3 for ; Mon, 16 Jun 2003 08:58:59 -0700 (PDT) (envelope-from netprince@vt.edu) Received: from dagger.cc.vt.edu (IDENT:mirapoint@evil-dagger [10.1.1.11]) by lennier.cc.vt.edu (8.12.8/8.12.8) with ESMTP id h5GFwwKH052163 for ; Mon, 16 Jun 2003 11:58:58 -0400 (EDT) Received: from ben.pfountz.com (Snell.vpec.vt.edu [128.173.89.238]) by dagger.cc.vt.edu (Mirapoint Messaging Server MOS 3.3.2-CR) with ESMTP id BNS16514; Mon, 16 Jun 2003 11:58:54 -0400 (EDT) Received: (qmail 15456 invoked from network); 16 Jun 2003 15:59:08 -0000 Received: from bpfountz.princenet (HELO benspiece) (192.168.17.101) by digitalpimp.princenet with SMTP; 16 Jun 2003 15:59:08 -0000 Message-ID: <001101c33420$37493bd0$6511a8c0@benspiece> From: "Ben Pfountz" To: , References: <3EEDE099.9080603@edgefocus.com> Date: Mon, 16 Jun 2003 11:59:06 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: ipfw, dummynet and a large subnet to shape X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 15:59:00 -0000 You probably want something more like this: ipfw -f flush /sbin/natd -interface rl0 ipfw add divert natd all from any to any via rl0 ipfw add pipe 1 ip from any to any in recv rl1 ipfw add pipe 2 ip from any to any out xmit rl1 ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s Remember that incoming packets are destined for your outside interface until the firewall diverts the packets to natd. For this reason, your pipe for packets coming in in rl0 would have always had a dst-ip of your outside interface. Hope this helps. Ben ----- Original Message ----- From: "Sean Hafeez" To: Sent: Monday, June 16, 2003 11:22 AM Subject: ipfw, dummynet and a large subnet to shape > i have been reading thru all the links on google and the man pages and > facts and have come to realize that the information is quite - not > right. > > here is what i need to do: > > i have a network - 10.0.0.0/22 that is nat'd. the external interface > is rl0 and the internal is rl1. i want everyone shaped to 1024kbits/s. > when i say everyone i mean each unique user (ie, 10.0.0.23 or > 10.0.1.77 or 10.0.2.32) to be limited to a total of 1024kbits/s down > and up. > > here is what i got. > > ipfw -f flush > /sbin/natd -interface rl0 > ipfw add 999 divert natd all from any to any via rl0 > ipfw add pipe 1 ip from any to any in via rl1 > ipfw add pipe 2 ip from any to any in via rl0 > ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s > ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s > > i have add: > > net.inet.ip.fw.one_pass=0 > net.inet.ip.dummynet.hash_size=256 > net.inet.ip.dummynet.max_chain_len=64 > > to sysctl.conf. > > does not seem to be working right. have i got this wrong? > > thanks! > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 16 09:24:00 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C76437B401 for ; Mon, 16 Jun 2003 09:24:00 -0700 (PDT) Received: from goliath.cnchost.com (goliath.cnchost.com [207.155.252.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF9BC43FBD for ; Mon, 16 Jun 2003 09:23:59 -0700 (PDT) (envelope-from sahafeez@edgefocus.com) Received: from edgefocus.com ([12.106.69.222]) by goliath.cnchost.com id MAA26069; Mon, 16 Jun 2003 12:23:57 -0400 (EDT) [ConcentricHost SMTP Relay 1.15] Errors-To: Message-ID: <3EEDEF1D.9080107@edgefocus.com> Date: Mon, 16 Jun 2003 09:23:57 -0700 From: Sean Hafeez Organization: EdgeFocus, Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ben Pfountz References: <3EEDE099.9080603@edgefocus.com> <001101c33420$37493bd0$6511a8c0@benspiece> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw, dummynet and a large subnet to shape X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sahafeez@edgefocus.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 16:24:00 -0000 Thanks. Just did that. I will see how it goes. I have one question: ipfw pipe show 0001: 1.024 Mbit/s 0 ms 50 sl. 29 queues (256 buckets) droptail mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 32 ip 10.0.128.16/0 0.0.0.0/0 14 924 0 0 0 64 ip 10.0.128.32/0 0.0.0.0/0 1 70 0 0 0 00002: 1.024 Mbit/s 0 ms 50 sl. 23 queues (256 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 17 ip 0.0.0.0/0 10.0.128.16/0 7 658 0 0 0 33 ip 0.0.0.0/0 10.0.128.32/0 1 147 0 0 0 35 ip 0.0.0.0/0 10.0.128.34/0 1 147 0 0 0 Sorry if it is hard to read - I just want to know why the IP's show up as 0.0.0.0/0 and does it matter? Is there any better docs on dummynet - the man page is not the best. I would be interested on seeing any work that anyone has does. Google does not really have alot of good stuff. Thanks! Ben Pfountz wrote: > You probably want something more like this: > > ipfw -f flush > /sbin/natd -interface rl0 > ipfw add divert natd all from any to any via rl0 > ipfw add pipe 1 ip from any to any in recv rl1 > ipfw add pipe 2 ip from any to any out xmit rl1 > ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s > ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s > > Remember that incoming packets are destined for your outside interface until > the firewall diverts the packets to natd. For this reason, your pipe for > packets coming in in rl0 would have always had a dst-ip of your outside > interface. > > Hope this helps. > > Ben > > > ----- Original Message ----- > From: "Sean Hafeez" > To: > Sent: Monday, June 16, 2003 11:22 AM > Subject: ipfw, dummynet and a large subnet to shape > > > >>i have been reading thru all the links on google and the man pages and >>facts and have come to realize that the information is quite - not >>right. >> >>here is what i need to do: >> >>i have a network - 10.0.0.0/22 that is nat'd. the external interface >>is rl0 and the internal is rl1. i want everyone shaped to 1024kbits/s. >>when i say everyone i mean each unique user (ie, 10.0.0.23 or >>10.0.1.77 or 10.0.2.32) to be limited to a total of 1024kbits/s down >>and up. >> >>here is what i got. >> >>ipfw -f flush >>/sbin/natd -interface rl0 >>ipfw add 999 divert natd all from any to any via rl0 >>ipfw add pipe 1 ip from any to any in via rl1 >>ipfw add pipe 2 ip from any to any in via rl0 >>ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s >>ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s >> >>i have add: >> >>net.inet.ip.fw.one_pass=0 >>net.inet.ip.dummynet.hash_size=256 >>net.inet.ip.dummynet.max_chain_len=64 >> >>to sysctl.conf. >> >>does not seem to be working right. have i got this wrong? >> >>thanks! >> >>_______________________________________________ >>freebsd-ipfw@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> >> > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 16 09:58:18 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0DB137B401 for ; Mon, 16 Jun 2003 09:58:18 -0700 (PDT) Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC9FD43FBF for ; Mon, 16 Jun 2003 09:58:17 -0700 (PDT) (envelope-from netprince@vt.edu) Received: from zidane.cc.vt.edu (IDENT:mirapoint@evil-zidane [10.1.1.13]) by lennier.cc.vt.edu (8.12.8/8.12.8) with ESMTP id h5GGwHKH123827 for ; Mon, 16 Jun 2003 12:58:17 -0400 (EDT) Received: from ben.pfountz.com (Snell.vpec.vt.edu [128.173.89.238]) by zidane.cc.vt.edu (Mirapoint Messaging Server MOS 3.3.2-CR) with ESMTP id BNM09333; Mon, 16 Jun 2003 12:58:12 -0400 (EDT) Received: (qmail 29709 invoked from network); 16 Jun 2003 16:58:24 -0000 Received: from gellmann.vpec.vt.edu (HELO GELLMAN) (BinsFriend@128.173.89.135) by tunnel-client.princenet with RC4-MD5 encrypted SMTP; 16 Jun 2003 16:58:19 -0000 Message-ID: <002401c33428$72b2c300$0100a8c0@GELLMAN> From: "Ben Pfountz" To: References: <3EEDE099.9080603@edgefocus.com> <001101c33420$37493bd0$6511a8c0@benspiece> <3EEDEF1D.9080107@edgefocus.com> Date: Mon, 16 Jun 2003 12:57:45 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw, dummynet and a large subnet to shape X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 16:58:19 -0000 My guess here, but... It has to do with you using the src-ip and dst-ip in creating a mask for each pipe. When using src-ip as a mask, the dst-ip doesn't matter and therefore shows as 0.0.0.0/0. Alot of the knowledge I have gained from dummynet came from trial and error. I have not really written any of it down in a paper format, though I should. Ben ----- Original Message ----- From: "Sean Hafeez" To: "Ben Pfountz" Cc: Sent: Monday, June 16, 2003 12:23 PM Subject: Re: ipfw, dummynet and a large subnet to shape > Thanks. Just did that. I will see how it goes. I have one question: > > ipfw pipe show > > 0001: 1.024 Mbit/s 0 ms 50 sl. 29 queues (256 buckets) droptail > mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 32 ip 10.0.128.16/0 0.0.0.0/0 14 924 0 > 0 0 > 64 ip 10.0.128.32/0 0.0.0.0/0 1 70 0 > 0 0 > 00002: 1.024 Mbit/s 0 ms 50 sl. 23 queues (256 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 17 ip 0.0.0.0/0 10.0.128.16/0 7 658 0 > 0 0 > 33 ip 0.0.0.0/0 10.0.128.32/0 1 147 0 > 0 0 > 35 ip 0.0.0.0/0 10.0.128.34/0 1 147 0 > 0 0 > > > Sorry if it is hard to read - I just want to know why the IP's show up > as 0.0.0.0/0 and does it matter? > > Is there any better docs on dummynet - the man page is not the best. I > would be interested on seeing any work that anyone has does. Google does > not really have alot of good stuff. > > > > Thanks! > > > > > Ben Pfountz wrote: > > You probably want something more like this: > > > > ipfw -f flush > > /sbin/natd -interface rl0 > > ipfw add divert natd all from any to any via rl0 > > ipfw add pipe 1 ip from any to any in recv rl1 > > ipfw add pipe 2 ip from any to any out xmit rl1 > > ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s > > ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s > > > > Remember that incoming packets are destined for your outside interface until > > the firewall diverts the packets to natd. For this reason, your pipe for > > packets coming in in rl0 would have always had a dst-ip of your outside > > interface. > > > > Hope this helps. > > > > Ben > > > > > > ----- Original Message ----- > > From: "Sean Hafeez" > > To: > > Sent: Monday, June 16, 2003 11:22 AM > > Subject: ipfw, dummynet and a large subnet to shape > > > > > > > >>i have been reading thru all the links on google and the man pages and > >>facts and have come to realize that the information is quite - not > >>right. > >> > >>here is what i need to do: > >> > >>i have a network - 10.0.0.0/22 that is nat'd. the external interface > >>is rl0 and the internal is rl1. i want everyone shaped to 1024kbits/s. > >>when i say everyone i mean each unique user (ie, 10.0.0.23 or > >>10.0.1.77 or 10.0.2.32) to be limited to a total of 1024kbits/s down > >>and up. > >> > >>here is what i got. > >> > >>ipfw -f flush > >>/sbin/natd -interface rl0 > >>ipfw add 999 divert natd all from any to any via rl0 > >>ipfw add pipe 1 ip from any to any in via rl1 > >>ipfw add pipe 2 ip from any to any in via rl0 > >>ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s > >>ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s > >> > >>i have add: > >> > >>net.inet.ip.fw.one_pass=0 > >>net.inet.ip.dummynet.hash_size=256 > >>net.inet.ip.dummynet.max_chain_len=64 > >> > >>to sysctl.conf. > >> > >>does not seem to be working right. have i got this wrong? > >> > >>thanks! > >> > >>_______________________________________________ > >>freebsd-ipfw@freebsd.org mailing list > >>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > >>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >> > >> > > > > > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 16 10:15:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28AE737B401 for ; Mon, 16 Jun 2003 10:15:27 -0700 (PDT) Received: from goliath.cnchost.com (goliath.cnchost.com [207.155.252.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8202143F75 for ; Mon, 16 Jun 2003 10:15:26 -0700 (PDT) (envelope-from sahafeez@edgefocus.com) Received: from edgefocus.com ([12.106.69.222]) by goliath.cnchost.com id NAA23558; Mon, 16 Jun 2003 13:15:26 -0400 (EDT) [ConcentricHost SMTP Relay 1.15] Errors-To: Message-ID: <3EEDFB2D.8070104@edgefocus.com> Date: Mon, 16 Jun 2003 10:15:25 -0700 From: Sean Hafeez Organization: EdgeFocus, Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-ipfw@freebsd.org References: <3EEDE099.9080603@edgefocus.com> <001101c33420$37493bd0$6511a8c0@benspiece> <3EEDEF1D.9080107@edgefocus.com> <002401c33428$72b2c300$0100a8c0@GELLMAN> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ipfw, dummynet and a large subnet to shape X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sahafeez@edgefocus.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 17:15:27 -0000 Damn. I just had a brain fart. I have nodes (wireless AP's) on this network that I do not wanted limited. So based on the 1st matching rule if I: ipfw -f flush /sbin/natd -interface rl0 ipfw add divert natd all from any to any via rl0 ipfw add allow ip from any to 10.0.0.5 ipfw add allow ip from any to 10.0.0.6 ipfw add allow ip from 10.0.0.5 to any ipfw add allow ip from 10.0.0.6 to any ipfw add pipe 1 ip from any to any in recv rl1 ipfw add pipe 2 ip from any to any out xmit rl1 ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s Will it work? I want to exclude a range or a single IP from the pipe and shape eveything that is not excluded. Ben Pfountz wrote: > My guess here, but... > > It has to do with you using the src-ip and dst-ip in creating a mask for > each pipe. When using src-ip as a mask, the dst-ip doesn't matter and > therefore shows as 0.0.0.0/0. > > Alot of the knowledge I have gained from dummynet came from trial and error. > I have not really written any of it down in a paper format, though I should. > > Ben > > > ----- Original Message ----- > From: "Sean Hafeez" > To: "Ben Pfountz" > Cc: > Sent: Monday, June 16, 2003 12:23 PM > Subject: Re: ipfw, dummynet and a large subnet to shape > > > >>Thanks. Just did that. I will see how it goes. I have one question: >> >>ipfw pipe show >> >>0001: 1.024 Mbit/s 0 ms 50 sl. 29 queues (256 buckets) droptail >> mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 >>BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes >>Pkt/Byte Drp >> 32 ip 10.0.128.16/0 0.0.0.0/0 14 924 0 >> 0 0 >> 64 ip 10.0.128.32/0 0.0.0.0/0 1 70 0 >> 0 0 >>00002: 1.024 Mbit/s 0 ms 50 sl. 23 queues (256 buckets) droptail >> mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 >>BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes >>Pkt/Byte Drp >> 17 ip 0.0.0.0/0 10.0.128.16/0 7 658 0 >> 0 0 >> 33 ip 0.0.0.0/0 10.0.128.32/0 1 147 0 >> 0 0 >> 35 ip 0.0.0.0/0 10.0.128.34/0 1 147 0 >> 0 0 >> >> >>Sorry if it is hard to read - I just want to know why the IP's show up >>as 0.0.0.0/0 and does it matter? >> >>Is there any better docs on dummynet - the man page is not the best. I >>would be interested on seeing any work that anyone has does. Google does >>not really have alot of good stuff. >> >> >> >>Thanks! >> >> >> >> >>Ben Pfountz wrote: >> >>>You probably want something more like this: >>> >>>ipfw -f flush >>>/sbin/natd -interface rl0 >>>ipfw add divert natd all from any to any via rl0 >>>ipfw add pipe 1 ip from any to any in recv rl1 >>>ipfw add pipe 2 ip from any to any out xmit rl1 >>>ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s >>>ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s >>> >>>Remember that incoming packets are destined for your outside interface >> > until > >>>the firewall diverts the packets to natd. For this reason, your pipe >> > for > >>>packets coming in in rl0 would have always had a dst-ip of your outside >>>interface. >>> >>>Hope this helps. >>> >>>Ben >>> >>> >>>----- Original Message ----- >>>From: "Sean Hafeez" >>>To: >>>Sent: Monday, June 16, 2003 11:22 AM >>>Subject: ipfw, dummynet and a large subnet to shape >>> >>> >>> >>> >>>>i have been reading thru all the links on google and the man pages and >>>>facts and have come to realize that the information is quite - not >>>>right. >>>> >>>>here is what i need to do: >>>> >>>>i have a network - 10.0.0.0/22 that is nat'd. the external interface >>>>is rl0 and the internal is rl1. i want everyone shaped to 1024kbits/s. >>>>when i say everyone i mean each unique user (ie, 10.0.0.23 or >>>>10.0.1.77 or 10.0.2.32) to be limited to a total of 1024kbits/s down >>>>and up. >>>> >>>>here is what i got. >>>> >>>>ipfw -f flush >>>>/sbin/natd -interface rl0 >>>>ipfw add 999 divert natd all from any to any via rl0 >>>>ipfw add pipe 1 ip from any to any in via rl1 >>>>ipfw add pipe 2 ip from any to any in via rl0 >>>>ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s >>>>ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s >>>> >>>>i have add: >>>> >>>>net.inet.ip.fw.one_pass=0 >>>>net.inet.ip.dummynet.hash_size=256 >>>>net.inet.ip.dummynet.max_chain_len=64 >>>> >>>>to sysctl.conf. >>>> >>>>does not seem to be working right. have i got this wrong? >>>> >>>>thanks! >>>> >>>>_______________________________________________ >>>>freebsd-ipfw@freebsd.org mailing list >>>>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>>>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>>> >>>> >>> >>> >>> >>>_______________________________________________ >>>freebsd-ipfw@freebsd.org mailing list >>>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>> >>> >> >> >>_______________________________________________ >>freebsd-ipfw@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> >> > > > > > From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 16 10:25:09 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22F8B37B401 for ; Mon, 16 Jun 2003 10:25:09 -0700 (PDT) Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2206143FD7 for ; Mon, 16 Jun 2003 10:25:08 -0700 (PDT) (envelope-from netprince@vt.edu) Received: from zidane.cc.vt.edu (IDENT:mirapoint@evil-zidane [10.1.1.13]) by lennier.cc.vt.edu (8.12.8/8.12.8) with ESMTP id h5GHP7KH138464 for ; Mon, 16 Jun 2003 13:25:07 -0400 (EDT) Received: from ben.pfountz.com (Snell.vpec.vt.edu [128.173.89.238]) by zidane.cc.vt.edu (Mirapoint Messaging Server MOS 3.3.2-CR) with ESMTP id BNM16129; Mon, 16 Jun 2003 13:25:00 -0400 (EDT) Received: (qmail 36162 invoked from network); 16 Jun 2003 17:25:11 -0000 Received: from gellmann.vpec.vt.edu (HELO GELLMAN) (BinsFriend@128.173.89.135) by tunnel-client.princenet with RC4-MD5 encrypted SMTP; 16 Jun 2003 17:25:08 -0000 Message-ID: <003501c3342c$31658cd0$0100a8c0@GELLMAN> From: "Ben Pfountz" To: References: <3EEDE099.9080603@edgefocus.com> <001101c33420$37493bd0$6511a8c0@benspiece> <3EEDEF1D.9080107@edgefocus.com> <002401c33428$72b2c300$0100a8c0@GELLMAN> <3EEDFB2D.8070104@edgefocus.com> Date: Mon, 16 Jun 2003 13:24:35 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw, dummynet and a large subnet to shape X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 17:25:09 -0000 It looks like it should work, but you should always try it. I have almost never written a firewall ruleset that worked the way I expected it to work on the first try. You should take a laptop and become a wireless client, then try to download something with a reliably high download rate. Then you should go to one of your client machines on the LAN and try to download something as well. You could even reduce the bandwidth rate just for testing, for example 56Kbit/s. This would help to prove whether or not the pipes are working. Ben ----- Original Message ----- From: "Sean Hafeez" Cc: Sent: Monday, June 16, 2003 1:15 PM Subject: Re: ipfw, dummynet and a large subnet to shape > Damn. I just had a brain fart. I have nodes (wireless AP's) on this > network that I do not wanted limited. So based on the 1st matching rule > if I: > > ipfw -f flush > /sbin/natd -interface rl0 > ipfw add divert natd all from any to any via rl0 > ipfw add allow ip from any to 10.0.0.5 > ipfw add allow ip from any to 10.0.0.6 > ipfw add allow ip from 10.0.0.5 to any > ipfw add allow ip from 10.0.0.6 to any > ipfw add pipe 1 ip from any to any in recv rl1 > ipfw add pipe 2 ip from any to any out xmit rl1 > ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s > ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s > > Will it work? I want to exclude a range or a single IP from the pipe and > shape eveything that is not excluded. > > > > > Ben Pfountz wrote: > > My guess here, but... > > > > It has to do with you using the src-ip and dst-ip in creating a mask for > > each pipe. When using src-ip as a mask, the dst-ip doesn't matter and > > therefore shows as 0.0.0.0/0. > > > > Alot of the knowledge I have gained from dummynet came from trial and error. > > I have not really written any of it down in a paper format, though I should. > > > > Ben > > > > > > ----- Original Message ----- > > From: "Sean Hafeez" > > To: "Ben Pfountz" > > Cc: > > Sent: Monday, June 16, 2003 12:23 PM > > Subject: Re: ipfw, dummynet and a large subnet to shape > > > > > > > >>Thanks. Just did that. I will see how it goes. I have one question: > >> > >>ipfw pipe show > >> > >>0001: 1.024 Mbit/s 0 ms 50 sl. 29 queues (256 buckets) droptail > >> mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 > >>BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > >>Pkt/Byte Drp > >> 32 ip 10.0.128.16/0 0.0.0.0/0 14 924 0 > >> 0 0 > >> 64 ip 10.0.128.32/0 0.0.0.0/0 1 70 0 > >> 0 0 > >>00002: 1.024 Mbit/s 0 ms 50 sl. 23 queues (256 buckets) droptail > >> mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 > >>BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > >>Pkt/Byte Drp > >> 17 ip 0.0.0.0/0 10.0.128.16/0 7 658 0 > >> 0 0 > >> 33 ip 0.0.0.0/0 10.0.128.32/0 1 147 0 > >> 0 0 > >> 35 ip 0.0.0.0/0 10.0.128.34/0 1 147 0 > >> 0 0 > >> > >> > >>Sorry if it is hard to read - I just want to know why the IP's show up > >>as 0.0.0.0/0 and does it matter? > >> > >>Is there any better docs on dummynet - the man page is not the best. I > >>would be interested on seeing any work that anyone has does. Google does > >>not really have alot of good stuff. > >> > >> > >> > >>Thanks! > >> > >> > >> > >> > >>Ben Pfountz wrote: > >> > >>>You probably want something more like this: > >>> > >>>ipfw -f flush > >>>/sbin/natd -interface rl0 > >>>ipfw add divert natd all from any to any via rl0 > >>>ipfw add pipe 1 ip from any to any in recv rl1 > >>>ipfw add pipe 2 ip from any to any out xmit rl1 > >>>ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s > >>>ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s > >>> > >>>Remember that incoming packets are destined for your outside interface > >> > > until > > > >>>the firewall diverts the packets to natd. For this reason, your pipe > >> > > for > > > >>>packets coming in in rl0 would have always had a dst-ip of your outside > >>>interface. > >>> > >>>Hope this helps. > >>> > >>>Ben > >>> > >>> > >>>----- Original Message ----- > >>>From: "Sean Hafeez" > >>>To: > >>>Sent: Monday, June 16, 2003 11:22 AM > >>>Subject: ipfw, dummynet and a large subnet to shape > >>> > >>> > >>> > >>> > >>>>i have been reading thru all the links on google and the man pages and > >>>>facts and have come to realize that the information is quite - not > >>>>right. > >>>> > >>>>here is what i need to do: > >>>> > >>>>i have a network - 10.0.0.0/22 that is nat'd. the external interface > >>>>is rl0 and the internal is rl1. i want everyone shaped to 1024kbits/s. > >>>>when i say everyone i mean each unique user (ie, 10.0.0.23 or > >>>>10.0.1.77 or 10.0.2.32) to be limited to a total of 1024kbits/s down > >>>>and up. > >>>> > >>>>here is what i got. > >>>> > >>>>ipfw -f flush > >>>>/sbin/natd -interface rl0 > >>>>ipfw add 999 divert natd all from any to any via rl0 > >>>>ipfw add pipe 1 ip from any to any in via rl1 > >>>>ipfw add pipe 2 ip from any to any in via rl0 > >>>>ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s > >>>>ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s > >>>> > >>>>i have add: > >>>> > >>>>net.inet.ip.fw.one_pass=0 > >>>>net.inet.ip.dummynet.hash_size=256 > >>>>net.inet.ip.dummynet.max_chain_len=64 > >>>> > >>>>to sysctl.conf. > >>>> > >>>>does not seem to be working right. have i got this wrong? > >>>> > >>>>thanks! > >>>> > >>>>_______________________________________________ > >>>>freebsd-ipfw@freebsd.org mailing list > >>>>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > >>>>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >>>> > >>>> > >>> > >>> > >>> > >>>_______________________________________________ > >>>freebsd-ipfw@freebsd.org mailing list > >>>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > >>>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >>> > >>> > >> > >> > >>_______________________________________________ > >>freebsd-ipfw@freebsd.org mailing list > >>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > >>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >> > >> > > > > > > > > > > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 16 11:01:39 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DE5437B401 for ; Mon, 16 Jun 2003 11:01:39 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A479B43FD7 for ; Mon, 16 Jun 2003 11:01:38 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h5GI1cUp033847 for ; Mon, 16 Jun 2003 11:01:38 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h5GI1cZS033840 for ipfw@freebsd.org; Mon, 16 Jun 2003 11:01:38 -0700 (PDT) Date: Mon, 16 Jun 2003 11:01:38 -0700 (PDT) Message-Id: <200306161801.h5GI1cZS033840@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 18:01:39 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/01/26] kern/47529 ipfw natd/ipfw lose TCP packets for firewalled o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 2 problems total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/18] kern/51132 ipfw kernel part of ipfw1 processes 'to not me o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu o [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 4 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w f [2002/01/11] kern/33804 ipfw ipfw bug/problem o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/01/05] bin/46785 ipfw [patch] add sets information to ipfw2 -h o [2003/02/06] bin/48015 ipfw make ipfw2 work with iplen ranges o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/04/20] kern/51182 ipfw ipfw2. -d list shows couters for dynamic 12 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 16 11:45:21 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29F3737B404 for ; Mon, 16 Jun 2003 11:45:21 -0700 (PDT) Received: from mout0.freenet.de (mout0.freenet.de [194.97.50.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1EB4343FAF for ; Mon, 16 Jun 2003 11:45:19 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.138] (helo=mx0.freenet.de) by mout0.freenet.de with asmtp (Exim 4.20) id 19Ryyk-00070i-3y for freebsd-ipfw@freebsd.org; Mon, 16 Jun 2003 20:45:18 +0200 Received: from p3e9baa8a.dip.t-dialin.net ([62.155.170.138] helo=spotteswoode.dnsalias.org) by mx0.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.20 #1) id 19Ryyj-00075f-OW for freebsd-ipfw@freebsd.org; Mon, 16 Jun 2003 20:45:17 +0200 Received: (qmail 6118 invoked by uid 0); 16 Jun 2003 18:45:17 -0000 Date: 16 Jun 2003 20:45:17 +0200 Message-ID: From: "clemens fischer" To: "Ben Pfountz" In-Reply-To: <003501c3342c$31658cd0$0100a8c0@GELLMAN> (Ben Pfountz's message of "Mon, 16 Jun 2003 13:24:35 -0400") References: <3EEDE099.9080603@edgefocus.com> <001101c33420$37493bd0$6511a8c0@benspiece> <3EEDEF1D.9080107@edgefocus.com> <002401c33428$72b2c300$0100a8c0@GELLMAN> <3EEDFB2D.8070104@edgefocus.com> <003501c3342c$31658cd0$0100a8c0@GELLMAN> User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org cc: sahafeez@edgefocus.com Subject: Re: ipfw, dummynet and a large subnet to shape X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 18:45:21 -0000 * Ben Pfountz: > It looks like it should work, but you should always try it. I have almost > never written a firewall ruleset that worked the way I expected it to work > on the first try. You should take a laptop and become a wireless client, > then try to download something with a reliably high download rate. Then you > should go to one of your client machines on the LAN and try to download > something as well. You could even reduce the bandwidth rate just for > testing, for example 56Kbit/s. This would help to prove whether or not the > pipes are working. ... and post the ruleset that works, please ... clemens From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 19 03:31:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B2B937B401; Thu, 19 Jun 2003 03:31:52 -0700 (PDT) Received: from cocoa.syncrontech.com (cocoa-e0.syncrontech.com [62.71.8.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0737243FB1; Thu, 19 Jun 2003 03:31:49 -0700 (PDT) (envelope-from ari.suutari@syncrontech.com) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.19])h5JAVgsV090939; Thu, 19 Jun 2003 13:31:46 +0300 (EEST) (envelope-from ari.suutari@syncrontech.com) Received: from coffee.syncrontech.com (coffee.syncrontech.com [62.71.8.37]) h5JAVek6097316; Thu, 19 Jun 2003 13:31:41 +0300 (EEST) (envelope-from ari.suutari@syncrontech.com) From: Ari Suutari Organization: Syncron Tech Oy To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Date: Thu, 19 Jun 2003 13:31:40 +0300 User-Agent: KMail/1.5.2 MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_MEZ8+8qZ+4wqeHL" Message-Id: <200306191331.40421.ari.suutari@syncrontech.com> X-Scanned-By: MIMEDefang 2.24 (www . roaringpenguin . com / mimedefang) X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: patches for ipsec packet filtering support in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jun 2003 10:31:53 -0000 --Boundary-00=_MEZ8+8qZ+4wqeHL Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi, Here are two small patches (done on 5.1-RELEASE, but should be ok for -current also) which add new "ipsec" flag to ipfw2. Rules with this flag match only packets that have ipsec history (ie. came from ipsec processing). Rules with "not ipsec" match only non-ipsec packets. Without the new keyword, both types of packets match (as before). To try these out, apply the patches, and compile kernel with options IPFIREWALL options IPSEC options IPSEC_ESP options IPSEC_FILTERGIF Also, recompile /usr/src/sbin/ipfw and install it. With the new flag it is possible easily to stop spoofing from RFC1918 networks, but allow traffic from those nets if it is coming from IPsec: ipfw add deny all from 192.168.0.0/16 to any via ${oif} not ipsec ipfw add pass tcp from 192.168.x.y/24 to a.b.c.d 23 ipsec setup This example drops spoofed packets, but allows telnet connection *if* the packet comes via ipsec. My testing has been done on 5.1-RELEASE machine. It seems to work, and it didn't crash anything. I hope that this flag is useful to others too, maybe someone could get it committed into -current ? Ari S. Lappeenranta, Finland --Boundary-00=_MEZ8+8qZ+4wqeHL-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 19 09:59:03 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3733637B401 for ; Thu, 19 Jun 2003 09:59:03 -0700 (PDT) Received: from mout0.freenet.de (mout0.freenet.de [194.97.50.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE1D243F3F for ; Thu, 19 Jun 2003 09:59:01 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.135] (helo=mx2.freenet.de) by mout0.freenet.de with asmtp (Exim 4.20) id 19T2kW-0000no-Ez for freebsd-ipfw@freebsd.org; Thu, 19 Jun 2003 18:59:00 +0200 Received: from p3e9baad9.dip.t-dialin.net ([62.155.170.217] helo=spotteswoode.dnsalias.org) by mx2.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.20 #1) id 19T2kW-0004bd-7y for freebsd-ipfw@freebsd.org; Thu, 19 Jun 2003 18:59:00 +0200 Received: (qmail 1421 invoked by uid 0); 19 Jun 2003 16:58:52 -0000 Date: 19 Jun 2003 18:58:52 +0200 Message-ID: From: "clemens fischer" To: "Ari Suutari" In-Reply-To: <200306191331.40421.ari.suutari@syncrontech.com> (Ari Suutari's message of "Thu, 19 Jun 2003 13:31:40 +0300") References: <200306191331.40421.ari.suutari@syncrontech.com> User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org Subject: Re: patches for ipsec packet filtering support in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jun 2003 16:59:03 -0000 * Ari Suutari: > Here are two small patches (done on 5.1-RELEASE, but should be ok > for -current also) which add new "ipsec" flag to ipfw2. i did not receive any attachments. will this functionality be included into freebsd-5 in the future? clemens From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 19 11:30:05 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7609237B401; Thu, 19 Jun 2003 11:30:05 -0700 (PDT) Received: from osku.suutari.iki.fi (osku.syncrontech.com [213.28.98.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8875143F3F; Thu, 19 Jun 2003 11:30:03 -0700 (PDT) (envelope-from ari@suutari.iki.fi) Received: from raisa (raisa.lemi.suutari.iki.fi [192.168.53.2]) by osku.suutari.iki.fi (8.12.8p1/8.12.8) with SMTP id h5JIU0np081070; Thu, 19 Jun 2003 21:30:00 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <000901c33691$4d4bd8c0$0235a8c0@raisa> From: "Ari Suutari" To: "clemens fischer" References: <200306191331.40421.ari.suutari@syncrontech.com> Date: Thu, 19 Jun 2003 21:33:33 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 cc: freebsd-ipfw@freebsd.org cc: freebsd-net@freebsd.org Subject: Re: patches for ipsec packet filtering support in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jun 2003 18:30:05 -0000 Hi, > * Ari Suutari: > > > Here are two small patches (done on 5.1-RELEASE, but should be ok > > for -current also) which add new "ipsec" flag to ipfw2. > > i did not receive any attachments. will this functionality be > included into freebsd-5 in the future? Does the mailing list strip attachments ? Here they are one for /sys/netinet and other for /usr/src/sbin/ipfw: This is for /sys/netinet: Index: ip_fw.h =================================================================== RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw.h,v retrieving revision 1.76.2.1 diff -u -r1.76.2.1 ip_fw.h --- ip_fw.h 4 Jun 2003 02:19:36 -0000 1.76.2.1 +++ ip_fw.h 19 Jun 2003 08:17:44 -0000 @@ -119,6 +119,7 @@ O_TEE, /* arg1=port number */ O_FORWARD_IP, /* fwd sockaddr */ O_FORWARD_MAC, /* fwd mac */ + O_IPSEC, /* has ipsec history */ O_LAST_OPCODE /* not an opcode! */ }; Index: ip_fw2.c =================================================================== RCS file: /net/pommac/scratch/freebsd-cvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.28.2.1 diff -u -r1.28.2.1 ip_fw2.c --- ip_fw2.c 4 Jun 2003 02:19:36 -0000 1.28.2.1 +++ ip_fw2.c 19 Jun 2003 18:24:40 -0000 @@ -1787,6 +1787,14 @@ (TH_RST | TH_ACK | TH_SYN)) != TH_SYN); break; + case O_IPSEC: +#ifdef IPSEC + match = (ipsec_gethist(m, NULL) != NULL); +#else + match = 0; +#endif + break; + case O_LOG: if (fw_verbose) ipfw_log(f, hlen, args->eh, m, oif); @@ -2378,6 +2386,7 @@ case O_TCPFLAGS: case O_TCPOPTS: case O_ESTAB: + case O_IPSEC: case O_VERREVPATH: if (cmdlen != F_INSN_SIZE(ipfw_insn)) goto bad_size; --------------- This is for /usr/src/sbin/ipfw: Index: ipfw.8 =================================================================== RCS file: /net/pommac/scratch/freebsd-cvs/src/sbin/ipfw/ipfw.8,v retrieving revision 1.122 diff -u -r1.122 ipfw.8 --- ipfw.8 15 Mar 2003 01:13:00 -0000 1.122 +++ ipfw.8 19 Jun 2003 10:21:30 -0000 @@ -835,6 +835,8 @@ specified as argument. .It Cm established Matches TCP packets that have the RST or ACK bits set. +.It Cm ipsec +Matches IP packets that have originated from IPsec stack. .It Cm frag Matches packets that are fragments and not the first fragment of an IP datagram. Note that these packets will not have Index: ipfw2.c =================================================================== RCS file: /net/pommac/scratch/freebsd-cvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.23.2.1 diff -u -r1.23.2.1 ipfw2.c --- ipfw2.c 4 Jun 2003 02:19:36 -0000 1.23.2.1 +++ ipfw2.c 19 Jun 2003 08:25:33 -0000 @@ -242,6 +242,7 @@ TOK_DROPTAIL, TOK_PROTO, TOK_WEIGHT, + TOK_IPSEC, }; struct _s_x dummynet_params[] = { @@ -335,6 +336,7 @@ { "mac", TOK_MAC }, { "mac-type", TOK_MACTYPE }, { "verrevpath", TOK_VERREVPATH }, + { "ipsec", TOK_IPSEC }, { "not", TOK_NOT }, /* pseudo option */ { "!", /* escape ? */ TOK_NOT }, /* pseudo option */ @@ -1131,6 +1133,10 @@ printf(" established"); break; + case O_IPSEC: + printf(" ipsec"); + break; + case O_TCPFLAGS: print_flags("tcpflags", cmd, f_tcpflags); break; @@ -3050,6 +3056,10 @@ case TOK_ESTAB: fill_cmd(cmd, O_ESTAB, 0, 0); + break; + + case TOK_IPSEC: + fill_cmd(cmd, O_IPSEC, 0, 0); break; case TOK_SETUP: -- Ari S. From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 19 11:56:58 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C75A37B401; Thu, 19 Jun 2003 11:56:58 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6121343F85; Thu, 19 Jun 2003 11:56:57 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id C4F4810BF8B; Thu, 19 Jun 2003 20:56:55 +0200 (CEST) Date: Thu, 19 Jun 2003 20:56:55 +0200 From: "Simon L. Nielsen" To: Ari Suutari Message-ID: <20030619185654.GA408@nitro.dk> References: <200306191331.40421.ari.suutari@syncrontech.com> <000901c33691$4d4bd8c0$0235a8c0@raisa> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l" Content-Disposition: inline In-Reply-To: <000901c33691$4d4bd8c0$0235a8c0@raisa> User-Agent: Mutt/1.5.4i cc: freebsd-ipfw@freebsd.org cc: freebsd-net@freebsd.org Subject: Re: patches for ipsec packet filtering support in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jun 2003 18:56:58 -0000 --XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.06.19 21:33:33 +0300, Ari Suutari wrote: > Hi, >=20 > > * Ari Suutari: > >=20 > > > Here are two small patches (done on 5.1-RELEASE, but should be ok > > > for -current also) which add new "ipsec" flag to ipfw2. > >=20 > > i did not receive any attachments. will this functionality be > > included into freebsd-5 in the future? >=20 > Does the mailing list strip attachments ? Yes, and it has in fact recently been documented :-). http://www.freebsd.org/doc/en/books/handbook/eresources.html#ERESOURCES-MAI= LFILTERING Your code looks interesting, but since I don't have IPsec set up (yet) I can't really test it. If no committer picks it up right away, I would suggest submitting it as a PR to make sure it isn't forgotten. Then hopefolly one of the ipfw guru's will have look at it at some point. --=20 Simon L. Nielsen --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+8gd28kocFXgPTRwRArr5AJ0erD99En9xhB4Lc7TjqZX88GuhZwCg2FLm 6ARPzM7XDIxFpnJmp1eRk5w= =qAnE -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 19 15:54:43 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61E7637B405 for ; Thu, 19 Jun 2003 15:54:42 -0700 (PDT) Received: from goliath.cnchost.com (goliath.cnchost.com [207.155.252.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA34543FCB for ; Thu, 19 Jun 2003 15:54:41 -0700 (PDT) (envelope-from sahafeez@edgefocus.com) Received: from edgefocus.com ([12.106.69.222]) by goliath.cnchost.com id SAA04543; Thu, 19 Jun 2003 18:54:41 -0400 (EDT) [ConcentricHost SMTP Relay 1.15] Errors-To: Message-ID: <3EF23F30.3030803@edgefocus.com> Date: Thu, 19 Jun 2003 15:54:40 -0700 From: Sean Hafeez Organization: EdgeFocus, Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: IP's per pipe? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sahafeez@edgefocus.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jun 2003 22:54:43 -0000 #ipfw pipe 1 config bw 128kbits/s #ipfw pipe 4 config bw 384kbits/s #ipfw add 100 pipe 1 ip from any to 192.168.43.2 #ipfw add 102 pipe 4 ip from 192.168.43.2 to any #ipfw add 103 pipe 1 ip from any to 192.168.43.3 #ipfw add 105 pipe 4 ip from 192.168.43.3 to any is it a new pipe for each rule or will .2 and .3 be tossed in the same 128/384k pipe? From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 19 15:58:51 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF76637B401 for ; Thu, 19 Jun 2003 15:58:51 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F92C43FBD for ; Thu, 19 Jun 2003 15:58:51 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 9C73510BF8B; Fri, 20 Jun 2003 00:58:50 +0200 (CEST) Date: Fri, 20 Jun 2003 00:58:50 +0200 From: "Simon L. Nielsen" To: Sean Hafeez Message-ID: <20030619225850.GJ408@nitro.dk> References: <3EF23F30.3030803@edgefocus.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tBhgiDt8dP1efIIJ" Content-Disposition: inline In-Reply-To: <3EF23F30.3030803@edgefocus.com> User-Agent: Mutt/1.5.4i cc: freebsd-ipfw@freebsd.org Subject: Re: IP's per pipe? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jun 2003 22:58:52 -0000 --tBhgiDt8dP1efIIJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.06.19 15:54:40 -0700, Sean Hafeez wrote: > #ipfw pipe 1 config bw 128kbits/s > #ipfw pipe 4 config bw 384kbits/s > #ipfw add 100 pipe 1 ip from any to 192.168.43.2 > #ipfw add 102 pipe 4 ip from 192.168.43.2 to any > #ipfw add 103 pipe 1 ip from any to 192.168.43.3 > #ipfw add 105 pipe 4 ip from 192.168.43.3 to any >=20 > is it a new pipe for each rule or will .2 and .3 be tossed in the same=20 > 128/384k pipe? They will be in the same pipe(s). You can use queues to pritice them in the two pipes, or use masks to create a pipes per IP/port. --=20 Simon L. Nielsen --tBhgiDt8dP1efIIJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+8kAq8kocFXgPTRwRAi4VAJ9zR7s2WV0kMoeZoOnWNnhtDWGjDwCdGo8T OWyEIJxbDM4yBG0lHfGSGy4= =/whf -----END PGP SIGNATURE----- --tBhgiDt8dP1efIIJ-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 19 16:02:32 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C866037B401 for ; Thu, 19 Jun 2003 16:02:32 -0700 (PDT) Received: from goliath.cnchost.com (goliath.cnchost.com [207.155.252.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 367BF43F93 for ; Thu, 19 Jun 2003 16:02:32 -0700 (PDT) (envelope-from sahafeez@edgefocus.com) Received: from edgefocus.com ([12.106.69.222]) by goliath.cnchost.com id TAA16325; Thu, 19 Jun 2003 19:02:29 -0400 (EDT) [ConcentricHost SMTP Relay 1.15] Errors-To: Message-ID: <3EF24104.1010704@edgefocus.com> Date: Thu, 19 Jun 2003 16:02:28 -0700 From: Sean Hafeez Organization: EdgeFocus, Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Simon L. Nielsen" References: <3EF23F30.3030803@edgefocus.com> <20030619225850.GJ408@nitro.dk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: IP's per pipe? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sahafeez@edgefocus.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jun 2003 23:02:33 -0000 it will have to be queues. mask would not work beacuse i may have .5 at 1024k and .6 at 384k. no way to do that. thanks for the info. Simon L. Nielsen wrote: > On 2003.06.19 15:54:40 -0700, Sean Hafeez wrote: > >>#ipfw pipe 1 config bw 128kbits/s >>#ipfw pipe 4 config bw 384kbits/s >>#ipfw add 100 pipe 1 ip from any to 192.168.43.2 >>#ipfw add 102 pipe 4 ip from 192.168.43.2 to any >>#ipfw add 103 pipe 1 ip from any to 192.168.43.3 >>#ipfw add 105 pipe 4 ip from 192.168.43.3 to any >> >>is it a new pipe for each rule or will .2 and .3 be tossed in the same >>128/384k pipe? > > > They will be in the same pipe(s). You can use queues to pritice them in > the two pipes, or use masks to create a pipes per IP/port. > From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 20 21:12:31 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A4F637B401 for ; Fri, 20 Jun 2003 21:12:31 -0700 (PDT) Received: from mail.sandvine.com (sandvine.com [199.243.201.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id C37B043F75 for ; Fri, 20 Jun 2003 21:12:30 -0700 (PDT) (envelope-from don@sandvine.com) Received: by mail.sandvine.com with Internet Mail Service (5.5.2653.19) id ; Sat, 21 Jun 2003 00:12:29 -0400 Message-ID: From: Don Bowman To: "'freebsd-ipfw@freebsd.org'" Date: Sat, 21 Jun 2003 00:12:23 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Subject: arp, skipto, deny rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jun 2003 04:12:31 -0000 I have a setup where I have H1(ip=1.0.0.1) bridged to H2(ip=1.0.0.2). When net.link.ether.bridge_ipfw=1, my rules are hit and the counters go up, so far so good. I would like to implement an ACL for sets of IP. Since ipfw doesn't allow 'and' (I would have written deny from where not ip1 and not ip2 ...), i used a skipto rule. I find in the below rules, that when rule 25 is present, that ARP packets are not passed through the bridge. When rule 25 is removed, arp packets pass ok. once the arp is known, packets pass just fine. Any suggestions? I have: em0, em1 on one side of the bridge, em4,em5 on the other. em2 is my ssh etc access, so i have it excluded. When I set net.link.ether.bridge_ipfw=0, the packets flow, or if I delete rule 25 the packets flow... Why are ipfw pipe 1 config bw 50Mbit/s queue 96Kbytes gred 0.002/30000/81920/0.1 ipfw pipe 2 config bw 100kbit/s mask src-ip 0xffffffff queue 8Kbytes gred 0.002/4 500/7500/0.1 ipfw pipe 3 config bw 100kbit/s mask dst-ip 0xffffffff queue 8Kbytes gred 0.002 /4500/7500/0.1 1 allow ip from me to me 10 allow ip from any to any via em2 20 skipto 30 ip from { 10.0.0.0/8 or 192.168.0.0/16 or 1.0.0.0/8 } to any 25 deny ip from any to any 30 allow tcp from any to any setup limit src-addr 5 40 pipe 2 ip from any to any recv em0 40 pipe 2 ip from any to any recv em1 50 pipe 3 ip from any to any recv em4 50 pipe 3 ip from any to any recv em5 60 pipe 1 ip from any to any in 65535 allow ip from any to any From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 21 06:53:38 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DDE137B401 for ; Sat, 21 Jun 2003 06:53:38 -0700 (PDT) Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7005343FA3 for ; Sat, 21 Jun 2003 06:53:37 -0700 (PDT) (envelope-from oivind.danielsen@kopek.net) Received: from OIVIND2 (213-187-164-30.dd.nextgentel.com [213.187.164.30]) by mail.broadpark.no (Postfix) with SMTP id 1E25E78638 for ; Sat, 21 Jun 2003 15:53:36 +0200 (MEST) From: "Oivind H. Danielsen" To: Date: Sat, 21 Jun 2003 15:53:32 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: RE: arp, skipto, deny rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jun 2003 13:53:38 -0000 > I find in the below rules, that when rule 25 is present, that > ARP packets are not passed through the bridge. When rule 25 is removed, > arp packets pass ok. > > once the arp is known, packets pass just fine. AFAIK, rule 25 will block , including layer2 packets. You can explicitly allow arp packets using the following rule: ${fwcmd} add 24 allow mac any any mac-type arp or better yet, use the layer2 keyword to define sections in your rule set for the various traffic categories as described in the man page. This way you don't have to have an implicit "deny-all" policy for layer2 traffic which you get with your current ruleset. Best Regards, Oivind H. Danielsen