From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 14 01:58:42 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5387316A4BF for ; Sun, 14 Sep 2003 01:58:42 -0700 (PDT) Received: from mpb3.plala.or.jp (c154001.vh.plala.or.jp [210.150.154.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC71543F85 for ; Sun, 14 Sep 2003 01:58:40 -0700 (PDT) (envelope-from e-kamo@trio.plala.or.jp) Received: from msvc1.plala.or.jp ([172.23.8.209]) by mpb3.plala.or.jp with SMTP id <20030914085839.VXJE6577.mpb3.plala.or.jp@msvc1.plala.or.jp> for ; Sun, 14 Sep 2003 17:58:39 +0900 Received: ( 15626 invoked from network); 14 Sep 2003 18:01:23 +0900 Received: from unknown (HELO mpb2.plala.or.jp) (172.23.8.17) by msvc1 with SMTP; 14 Sep 2003 18:01:23 +0900 Received: from trio.plala.or.jp ([219.25.148.120]) by mpb2.plala.or.jp with ESMTP id <20030914085838.CKEZ15298.mpb2.plala.or.jp@trio.plala.or.jp> for ; Sun, 14 Sep 2003 17:58:38 +0900 Message-ID: <3F642DC2.8030804@trio.plala.or.jp> Date: Sun, 14 Sep 2003 17:58:42 +0900 From: Eitarou Kamo User-Agent: Mozilla/5.0 (Windows; U; Win98; ja-JP; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: ja MIME-Version: 1.0 To: ipfw@freebsd.org X-Enigmail-Version: 0.75.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit Subject: dynamic distination X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Sep 2003 08:58:42 -0000 Hi all, I have question about the ipfw. Any suggestion is appreciated. I want to assign the destination of packet dynamically by dest host state( dead or alive ) . Is it possible to forward the packet to the host alive by the ipfw? I know ipfw has icmp option. Is it available in this case? Eitarou From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 03:54:05 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 582C616A4BF for ; Mon, 15 Sep 2003 03:54:05 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id B904A43F3F for ; Mon, 15 Sep 2003 03:54:04 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h8FAs4kN078003; Mon, 15 Sep 2003 03:54:04 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h8FAs4bD078002; Mon, 15 Sep 2003 03:54:04 -0700 (PDT) (envelope-from rizzo) Date: Mon, 15 Sep 2003 03:54:04 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Message-ID: <20030915035404.A77950@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Subject: proposed ipfw2 patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 10:54:05 -0000 Hi, the following code implements a '-b' flag for ipfw so that it only prints rule numbers, counters, action and comment -- basically it skips the body of the rule, which can be extremely long if you use extensively address lists or sets. In these cases, a comment might prove more useful to read. I believe we do not have time to put this in 4.9 but maybe someone will find it useful. cheers luigi Index: ipfw2.c =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.4.2.18 diff -u -r1.4.2.18 ipfw2.c --- ipfw2.c 15 Sep 2003 10:27:03 -0000 1.4.2.18 +++ ipfw2.c 15 Sep 2003 10:48:02 -0000 @@ -65,6 +65,7 @@ do_compact, /* show rules in compact mode */ show_sets, /* display rule sets */ test_only, /* only check syntax */ + comment_only, /* only print action and comment */ verbose; #define IP_MASK_ALL 0xffffffff @@ -850,6 +851,8 @@ static void show_prerequisites(int *flags, int want, int cmd) { + if (comment_only) + return; if ( (*flags & HAVE_IP) == HAVE_IP) *flags |= HAVE_OPTIONS; @@ -880,7 +883,7 @@ static int twidth = 0; int l; ipfw_insn *cmd; - char *comment = NULL; /* ptr to comment if we have one */ + const char * comment = NULL; /* ptr to comment if we have one */ int proto = 0; /* default */ int flags = 0; /* prerequisites */ ipfw_insn_log *logptr = NULL; /* set if we find an O_LOG */ @@ -1030,11 +1033,21 @@ flags |= HAVE_IP | HAVE_OPTIONS; } + if (comment_only) + comment = "..."; + for (l = rule->act_ofs, cmd = rule->cmd ; l > 0 ; l -= F_LEN(cmd) , cmd += F_LEN(cmd)) { /* useful alias */ ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd; + if (comment_only) { + if (cmd->opcode != O_NOP) + continue; + printf(" // %s\n", (char *)(cmd + 1)); + return; + } + show_prerequisites(&flags, 0, cmd->opcode); switch(cmd->opcode) { @@ -3682,10 +3695,15 @@ save_av = av; optind = optreset = 0; - while ((ch = getopt(ac, av, "acdefhnNqs:STtv")) != -1) + while ((ch = getopt(ac, av, "abcdefhnNqs:STtv")) != -1) switch (ch) { case 'a': do_acct = 1; + break; + + case 'b': + comment_only = 1; + do_compact = 1; break; case 'c': From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 04:15:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C061116A4BF for ; Mon, 15 Sep 2003 04:15:27 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF2C543FE1 for ; Mon, 15 Sep 2003 04:15:26 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h8FBFQkN078164; Mon, 15 Sep 2003 04:15:26 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h8FBFQR7078163; Mon, 15 Sep 2003 04:15:26 -0700 (PDT) (envelope-from rizzo) Date: Mon, 15 Sep 2003 04:15:26 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Message-ID: <20030915041525.B77950@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Subject: ipfw2 logging through tcpdump ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 11:15:27 -0000 having recently played a bit with largish ipfw configurations, i would have really liked to have a more flexible logging facility for ipfw. It occurred to me that one way could be to extend the ipfw2 "log" option to optionally pass to a bpf listener a copy of the packets selected by the ipfw rule (maybe with some tag showing the rule they come from) so that one can run a tcpdump on that stream when detailed analysis is required, and have essentially zero overhead in other cases. What do people think ? Implementation should be almost trivial, amounting to creating a fake struct ifnet for ipfw2 (suitably initialized to give it a name and pretend it is up and running and has an address assigned), calling bpfattach() on it, and then implement an ipfw2 instruction which always succeeds and, if there is a listener, passes calls bpf_mtap on the mbuf. Does this make sense ? And, any idea on how to tag the packet with a rule number in a way that tcpdump can filter (yes, i am looking for dirty hacks here...) (and speaking of dirty hacks, of course layer3 packets can be easily prepended with a fake MAC header which includes the matching rule number in the ether src/dst addresses, but this trick won't work for layer2 packets, which we do care about). cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 04:38:28 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6154216A4BF for ; Mon, 15 Sep 2003 04:38:28 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id A826E43FCB for ; Mon, 15 Sep 2003 04:38:27 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id E6EFB10BFAA; Mon, 15 Sep 2003 13:38:25 +0200 (CEST) Date: Mon, 15 Sep 2003 13:38:25 +0200 From: "Simon L. Nielsen" To: Luigi Rizzo Message-ID: <20030915113824.GB393@FreeBSD.org> References: <20030915041525.B77950@xorpc.icir.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8P1HSweYDcXXzwPJ" Content-Disposition: inline In-Reply-To: <20030915041525.B77950@xorpc.icir.org> User-Agent: Mutt/1.5.4i cc: ipfw@freebsd.org Subject: Re: ipfw2 logging through tcpdump ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 11:38:28 -0000 --8P1HSweYDcXXzwPJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.09.15 04:15:26 -0700, Luigi Rizzo wrote: > It occurred to me that one way could be to extend the ipfw2 > "log" option to optionally pass to a bpf listener a copy of the packets > selected by the ipfw rule (maybe with some tag showing the rule > they come from) so that one can run a tcpdump on that stream when > detailed analysis is required, and have essentially zero overhead in > other cases. I think it would be a very good idea. The current ipfw logging is missing a lot of interesting metadata about the packets. I looked at coding this some time ago, and while I did get a it working, it is a mess since you have to do a lot of string manipulation in the kernel to log the appropriate information. I think using a userland program to do all the string magic is a lot better. > Does this make sense ? And, any idea on how to tag the packet with > a rule number in a way that tcpdump can filter (yes, i am looking > for dirty hacks here...) Have you looked at how IPFilter or OpenBSD's pf does this? I believe they log packets using bpf/tcpdump (I might be wrong, I have never used them). --=20 Simon L. Nielsen FreeBSD Documentation Team --8P1HSweYDcXXzwPJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/ZaSwh9pcDSc1mlERAooEAJ9NfTKpKC+FOcaLICxc5ABynFDWnQCfeXAl tpYVKmGB3BPxL+GtamR9vTk= =K6B/ -----END PGP SIGNATURE----- --8P1HSweYDcXXzwPJ-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 05:38:33 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FB7116A4BF for ; Mon, 15 Sep 2003 05:38:33 -0700 (PDT) Received: from btsoftware.com (213-84-82-9.adsl.xs4all.nl [213.84.82.9]) by mx1.FreeBSD.org (Postfix) with SMTP id AFFBE43F93 for ; Mon, 15 Sep 2003 05:38:31 -0700 (PDT) (envelope-from martin@btsoftware.com) Received: from btsoftware.com (viper [192.168.0.1] ) by btsoftware.com (Hethmon Brothers Smtpd) ; Mon, 15 Sep 2003 14:38:19 +0100 Message-Id: <200309151438.1937858.6@btsoftware.com> Received: from viper by btsoftware.com (Hethmon Brothers Pop3d) ; Mon, 15 Sep 2003 14:38:18 +0100 From: "Martin Bartelds" To: "ipfw@freebsd.org" Date: Mon, 15 Sep 2003 14:38:17 +0200 (CDT) Priority: Normal X-Mailer: PMMail 2.20.2382 for OS/2 Warp 4.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: IPFW/routing wishes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Martin Bartelds List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 12:38:33 -0000 What I do seriously mis in FreeBSD, is the possibilty to have NATD active on more then 1 network address/card and do packet routing based on packet information. For example: All external network interfaces X and Y serving their own requests, routing all trafic from the firewall's system to interface X and all other trafic (ie from the internal network) to interface Y. The Activition mechanism (the rules) of IPFW and NATD seem to be integrated with the actual firewall. Understandable, because once matching has been done, the FW rule can be applied easily. Activation of NATD handling is done with the divert as a result of the matching mechanism. Running 2 NATD's is possible, but ends up with the wrong "source" address in the packets supposed to go to one of the cards. IE one NATD works fine, the other creates packets with the wrong source address going to the wrong outgoing network card (and as such have conflicts with the firewall rules, apart from going to the wrong card and as such abusing the ISP). I would like to see an option "REROUTE", where I do have the opportunity to change source address and destination network card. Subsequent wish would be to have some sort of an option to manipulate the REROUTE effect based on load and/or line availability. But that's much less important (for the moment). What I'm not looking for: - The option to keep a TCP connection up once it has been established. If an external link fails, the connection may be dropped. No problem. - A real dual link, where packets for 1 TCP connection are send out over two external links. Much harder to implement and keep ISP's happy about strange IP addresses coming out of their network. Why am I interrested in this REROUTE option ? Many (smaller) companies and/or individuals do have NATD running for both protection and serving the internal network. More and more, this user group is having MULTIPLE external (low cost ADSL and/or cable) connections for performance and fallback strategies. Until now, FreeBSD is not capable to handle this properly. :-(( I have been looking at the FreeBSD source code and noticed it "could" be done by the firewall code. But that would be (programmers wise) an ugly way to do this, because it would require changing data global to the firewall selection/handling routines context. Opinions ? Martin. From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 06:06:53 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B6F016A4BF for ; Mon, 15 Sep 2003 06:06:53 -0700 (PDT) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0539B43FB1 for ; Mon, 15 Sep 2003 06:06:51 -0700 (PDT) (envelope-from ck@cksoft.de) Received: from localhost (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id DD69D1FF900; Mon, 15 Sep 2003 15:06:48 +0200 (CEST) Received: from vesihiisi.cksoft.de (unknown [192.168.64.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by transport.cksoft.de (Postfix) with ESMTP id 5C8C81FF8FF; Mon, 15 Sep 2003 15:06:45 +0200 (CEST) Received: from vesihiisi.cksoft.de (localhost [127.0.0.1]) by vesihiisi.cksoft.de (Postfix) with ESMTP id CF9572278; Mon, 15 Sep 2003 15:06:43 +0200 (CEST) Received: by vesihiisi.cksoft.de (Postfix, from userid 1000) id 2D9CE2262; Mon, 15 Sep 2003 15:06:42 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by vesihiisi.cksoft.de (Postfix) with ESMTP id 2BFE1225C; Mon, 15 Sep 2003 15:06:42 +0200 (CEST) Date: Mon, 15 Sep 2003 15:06:42 +0200 (CEST) From: Christian Kratzer To: Martin Bartelds In-Reply-To: <200309151438.1937858.6@btsoftware.com> Message-ID: <20030915150519.O3146@vesihiisi.cksoft.de> References: <200309151438.1937858.6@btsoftware.com> X-Spammer-Kill-Ratio: 75% MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300-cksoft-02bz on vesihiisi.cksoft.de X-Virus-Scanned: by AMaViS snapshot-20020300 cc: "ipfw@freebsd.org" Subject: Re: IPFW/routing wishes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 13:06:53 -0000 Hi, On Mon, 15 Sep 2003, Martin Bartelds wrote: > What I do seriously mis in FreeBSD, is the possibilty to have NATD active > on more then 1 network address/card and do packet routing based > on packet information. > > For example: All external network interfaces X and Y serving their own requests, > routing all trafic from the firewall's system to interface X and all > other trafic (ie from the internal network) to interface Y. > > The Activition mechanism (the rules) of IPFW and NATD seem to > be integrated with the actual firewall. Understandable, because once > matching has been done, the FW rule can be applied easily. Activation > of NATD handling is done with the divert as a result of the matching mechanism. > > Running 2 NATD's is possible, but ends up with the wrong "source" > address in the packets supposed to go to one of the cards. > IE one NATD works fine, the other creates packets with the wrong source > address going to the wrong outgoing network card (and as such have > conflicts with the firewall rules, apart from going to the wrong card and > as such abusing the ISP). [snipp] I have successfully run multiple natds on different outside interfaces and had absolutely no problems in doing so. Of course you need to two different divert ports but the configuration was pretty trivial. Can you show a specific config you had problems with ? Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Open Software Solutions, Network Security Fax: +49 7452 889-136 FreeBSD spoken here! From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 07:18:34 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C387516A4BF for ; Mon, 15 Sep 2003 07:18:34 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2697E43FE5 for ; Mon, 15 Sep 2003 07:18:34 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h8FEISkN079276; Mon, 15 Sep 2003 07:18:28 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h8FEIS39079275; Mon, 15 Sep 2003 07:18:28 -0700 (PDT) (envelope-from rizzo) Date: Mon, 15 Sep 2003 07:18:28 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Message-ID: <20030915071828.B79168@xorpc.icir.org> References: <20030915041525.B77950@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030915041525.B77950@xorpc.icir.org>; from rizzo@icir.org on Mon, Sep 15, 2003 at 04:15:26AM -0700 Subject: ipfw2 logging through tcpdump (almost done!) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 14:18:34 -0000 well it was almost as easy as i expected... a patch for netinet/ip_fw2.c is at the end of this message. Basically, if net.inet.ip.fw.verbose=1 the log command works as ususal, whereas if it is 0 you can run tcpdump -i ipfw0 ... and catch packets that would normally go to the log output. There are still some minor glitches in that "ipfw0" looks weird, i cannot figure out what am i missing in the initialization to make it look as an ethernet interface, and also what needs to be done to assign an address to it so that it works ok with things like trafshow. Suggestions welcome... cheers luigi On Mon, Sep 15, 2003 at 04:15:26AM -0700, Luigi Rizzo wrote: > having recently played a bit with largish ipfw configurations, > i would have really liked to have a more flexible logging facility > for ipfw. > > It occurred to me that one way could be to extend the ipfw2 > "log" option to optionally pass to a bpf listener a copy of the packets > selected by the ipfw rule (maybe with some tag showing the rule > they come from) so that one can run a tcpdump on that stream when > detailed analysis is required, and have essentially zero overhead in > other cases. > > What do people think ? Implementation should be almost trivial, > amounting to creating a fake struct ifnet for ipfw2 (suitably > initialized to give it a name and pretend it is up and running and > has an address assigned), calling > bpfattach() on it, and then implement an ipfw2 instruction > which always succeeds and, if there is a listener, passes > calls bpf_mtap on the mbuf. > > Does this make sense ? And, any idea on how to tag the packet with > a rule number in a way that tcpdump can filter (yes, i am looking > for dirty hacks here...) > > (and speaking of dirty hacks, of course layer3 packets can be > easily prepended with a fake MAC header which includes the matching > rule number in the ether src/dst addresses, but this trick won't > work for layer2 packets, which we do care about). > > cheers > luigi Index: netinet/ip_fw2.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.6.2.16 diff -u -r1.6.2.16 ip_fw2.c --- netinet/ip_fw2.c 17 Jul 2003 06:03:39 -0000 1.6.2.16 +++ netinet/ip_fw2.c 15 Sep 2003 14:49:30 -0000 @@ -55,6 +55,8 @@ #include #include #include +#include /* for IFT_ETHER */ +#include /* for BPF */ #include #include #include @@ -234,6 +236,11 @@ ip_dn_ruledel_t *ip_dn_ruledel_ptr = NULL; /* hook into dummynet */ /* + * hook to attach to bpf + */ +static struct ifnet ifn; + +/* * This macro maps an ip pointer into a layer3 header pointer of type T */ #define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl)) @@ -1812,6 +1819,26 @@ case O_LOG: if (fw_verbose) ipfw_log(f, hlen, args->eh, m, oif); + else if (ifn.if_bpf != NULL) { + /* This kludge is OK; BPF treats the "mbuf" as read-only */ + struct m_hdr mh; + mh.mh_next = m; + mh.mh_len = ETHER_HDR_LEN; + if (args->eh) /* layer2, complete */ + mh.mh_data = (char *)args->eh; + else { + /* fake header and restore wire format*/ + mh.mh_data = "DDDDDDSSSSSS\x08\x00"; + ip->ip_off = ntohs(ip->ip_off); + ip->ip_len = ntohs(ip->ip_len); + } + bpf_mtap(&ifn, (struct mbuf *)&mh); + if (args->eh == NULL) { + /* restore IP format */ + ip->ip_off = htons(ip->ip_off); + ip->ip_len = htons(ip->ip_len); + } + } match = 1; break; @@ -2767,11 +2794,29 @@ ipfw_timeout_h = timeout(ipfw_tick, NULL, dyn_keepalive_period*hz); } +static int +ipfw_ifnet_ioctl(struct ifnet *ifp, u_long cmd, caddr_t addr) +{ + return 0; /* always succeed... */ +} + static void ipfw_init(void) { struct ip_fw default_rule; +/** bpf code **/ + ifn.if_name = "ipfw"; + ifn.if_flags = IFF_UP | IFF_SIMPLEX | IFF_MULTICAST; + ifn.if_ioctl = ipfw_ifnet_ioctl; /* getaddr */ + ifn.if_type = IFT_ETHER; + ifn.if_addrlen = 6; + ifn.if_hdrlen = 14; + if_attach(&ifn); + bpfattach(&ifn, DLT_EN10MB, sizeof(struct ether_header)); + +/** end bpf code **/ + ip_fw_chk_ptr = ipfw_chk; ip_fw_ctl_ptr = ipfw_ctl; layer3_chain = NULL; @@ -2844,6 +2889,7 @@ err = EBUSY; #else s = splimp(); + ether_ifdetach(&ifn, 1 /* we want bpf */); untimeout(ipfw_tick, NULL, ipfw_timeout_h); ip_fw_chk_ptr = NULL; ip_fw_ctl_ptr = NULL; From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 07:34:40 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6FD916A4BF for ; Mon, 15 Sep 2003 07:34:40 -0700 (PDT) Received: from astra.telenet-ops.be (astra.telenet-ops.be [195.130.132.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id 408D843FDD for ; Mon, 15 Sep 2003 07:34:40 -0700 (PDT) (envelope-from tieledefr@ncq.be) Received: from localhost (localhost.localdomain [127.0.0.1]) by astra.telenet-ops.be (Postfix) with SMTP id 905DD37E6B; Mon, 15 Sep 2003 16:34:39 +0200 (MEST) Received: from ncq.be (D5E028B7.kabel.telenet.be [213.224.40.183]) by astra.telenet-ops.be (Postfix) with ESMTP id 4EB1E37F49; Mon, 15 Sep 2003 16:34:39 +0200 (MEST) Message-ID: <3F65CEC5.8090803@ncq.be> Date: Mon, 15 Sep 2003 16:37:57 +0200 From: Tiele Defrancq User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030612 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org, wouter.cuypers@ua.ac.be, voutah@detroit.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: (no subject) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 14:34:41 -0000 wouterDAvkYkxYwouter From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 07:45:14 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F0DE16A4BF for ; Mon, 15 Sep 2003 07:45:14 -0700 (PDT) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF89D43F75 for ; Mon, 15 Sep 2003 07:45:12 -0700 (PDT) (envelope-from ck@cksoft.de) Received: from localhost (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 59D6E1FF90C; Mon, 15 Sep 2003 16:45:11 +0200 (CEST) Received: from vesihiisi.cksoft.de (unknown [192.168.64.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by transport.cksoft.de (Postfix) with ESMTP id E105D1FF90B; Mon, 15 Sep 2003 16:45:07 +0200 (CEST) Received: from vesihiisi.cksoft.de (localhost [127.0.0.1]) by vesihiisi.cksoft.de (Postfix) with ESMTP id F176E225C; Mon, 15 Sep 2003 16:45:06 +0200 (CEST) Received: by vesihiisi.cksoft.de (Postfix, from userid 1000) id 1A58D224B; Mon, 15 Sep 2003 16:45:05 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by vesihiisi.cksoft.de (Postfix) with ESMTP id 1342321C4; Mon, 15 Sep 2003 16:45:05 +0200 (CEST) Date: Mon, 15 Sep 2003 16:45:05 +0200 (CEST) From: Christian Kratzer To: Martin Bartelds In-Reply-To: <200309151529.5442239.6@btsoftware.com> Message-ID: <20030915163024.M4213@vesihiisi.cksoft.de> References: <200309151529.5442239.6@btsoftware.com> X-Spammer-Kill-Ratio: 75% MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300-cksoft-02bz on vesihiisi.cksoft.de X-Virus-Scanned: by AMaViS snapshot-20020300 cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW/routing wishes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 14:45:14 -0000 Hi, On Mon, 15 Sep 2003, Martin Bartelds wrote: > Hi Christian, > > Thanks for the reply. > > Actually two NATD's do work, but one of these NATD does have a problem. > The outgoing IP number will not match the default routing adapter. > If the firewall rules on that default routing adapter are "relaxed" and > the external route does not block strange packets, it'll work, but > outgoing packets will go through the default interface. > > I did have two NATD's, two divert sockets, two rule sets, etc. and > everything "worked" except the outgoing packets of the second NATD > tempting to go throught the wrong adapter. I used specific routes to distribute traffic over separate internet connections last time we had such a setup. Each connection had it's own natd on it's own divert port and it's own config file. The external ip to which to nat goes in the specific natd's config file. Packets going in an out over one interface go into their specific natd instance and packets over the other interface go into theirs. No mixup possible. > I don't have the config any more, since this was an ongoing trial > finally being blocked on the issue "wrong source IP address going > to the wrong network adapter". [snipp] looks like you want to decide which interface or nexthop to use depending on the source address of the packets. I have not done policy routing on freebsd before but I would give the ipfw fwd action a deeper look fwd | forward ipaddr[,port] Change the next-hop on matching packets to ipaddr, which can be an IP address in dotted quad format or a host name. The search terminates if this rule matches. you should be able to implement source routing with this altough policy routing rulesets usually tend to be rather ugly. I am also not quite sure if the packets will be injected backinto the rulesets and go through the divert rules and into their natds after this. Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Open Software Solutions, Network Security Fax: +49 7452 889-136 FreeBSD spoken here! From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 10:11:07 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 021E316A4BF for ; Mon, 15 Sep 2003 10:11:07 -0700 (PDT) Received: from fed1mtao06.cox.net (fed1mtao06.cox.net [68.6.19.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id F32F643FDF for ; Mon, 15 Sep 2003 10:11:05 -0700 (PDT) (envelope-from sahafeez@edgefocus.com) Received: from edgefocus.com ([68.4.168.164]) by fed1mtao06.cox.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP id <20030915171100.TVVI9283.fed1mtao06.cox.net@edgefocus.com> for ; Mon, 15 Sep 2003 13:11:00 -0400 Date: Mon, 15 Sep 2003 10:11:06 -0700 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) Cc: freebsd-ipfw@freebsd.org From: Sean Hafeez Content-Transfer-Encoding: 7bit In-Reply-To: <3F65CEC5.8090803@ncq.be> Message-Id: <97A15E3E-E79F-11D7-9C4C-003065F1EE08@edgefocus.com> X-Mailer: Apple Mail (2.552) Subject: ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 17:11:07 -0000 I am having a hard time figuring something out about IPFW2. I am currently using a built of 4.8 with IPFW and DUMMYNET as a rateshapping router. I have tried to build a kernel with the IPFW2 options but then I seem to have issues with using DUMMYNET. The ipfw pipe comments give errors and core dumps. Am I missing something? -Sean From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 10:35:03 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 801D616A4BF for ; Mon, 15 Sep 2003 10:35:03 -0700 (PDT) Received: from tenebras.com (blade.tenebras.com [66.92.188.175]) by mx1.FreeBSD.org (Postfix) with SMTP id B92AF43FBD for ; Mon, 15 Sep 2003 10:35:02 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 29824 invoked from network); 15 Sep 2003 17:35:02 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 15 Sep 2003 17:35:02 -0000 Message-ID: <3F65F83E.2050908@tenebras.com> Date: Mon, 15 Sep 2003 10:34:54 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Sean Hafeez References: <97A15E3E-E79F-11D7-9C4C-003065F1EE08@edgefocus.com> In-Reply-To: <97A15E3E-E79F-11D7-9C4C-003065F1EE08@edgefocus.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 17:35:03 -0000 Sean Hafeez wrote: > I am having a hard time figuring something out about IPFW2. I am > currently using a built of 4.8 with IPFW and DUMMYNET as a rateshapping > router. I have tried to build a kernel with the IPFW2 options but then I > seem to have issues with using DUMMYNET. The ipfw pipe comments give > errors and core dumps. Am I missing something? USING IPFW2 IN FreeBSD-STABLE ipfw2 is standard in FreeBSD CURRENT, whereas FreeBSD STABLE still uses ipfw1 unless the kernel is compiled with options IPFW2, and /sbin/ipfw and /usr/lib/libalias are recompiled with -DIPFW2 and reinstalled (the same effect can be achieved by adding IPFW2=TRUE to /etc/make.conf before a buildworld). # echo "IPFW2= YES" >> /etc/make.conf # cd /usr/src/lib/libalias # make clean && make && make install && make clean # cd /usr/src/sbin/ipfw # make clean && make && make install && make clean -- "Well," Brahma said, "even after ten thousand explanations, a fool is no wiser, but an intelligent man requires only two thousand five hundred." - The Mahabharata From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 12:31:35 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 311A016A4BF for ; Mon, 15 Sep 2003 12:31:35 -0700 (PDT) Received: from mail.cta.ro (mail.cta.ro [217.156.120.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 761BB43F93 for ; Mon, 15 Sep 2003 12:31:32 -0700 (PDT) (envelope-from daniel@guitar.ro) Received: from COSTI ([217.73.166.72]) by mail.cta.ro (8.11.6/8.11.6) with SMTP id h8FJWYt17677 for ; Mon, 15 Sep 2003 22:32:35 +0300 MIME-Version: 1.0 Message-Id: <3F661392.000001.01980@COSTI> Date: Mon, 15 Sep 2003 22:31:30 +0300 (E. Europe Daylight Time) Content-Type: Multipart/related; type="multipart/alternative"; boundary="------------Boundary-00=_IWS9QL80000000000000" X-Mailer: IncrediMail 2001 (1850924) From: "daniel@guitar.ro" References: <3F65F83E.2050908@tenebras.com> X-FID: BA285063-5BCE-11D4-AF8D-0050DAC67E11 X-FVER: X-FIT: X-FCOL: X-FCAT: X-FDIS: X-BG: <564A579D-CC9A-4396-9D6E-C61FA7BCFA8D> X-BGT: repeat X-BGC: #eff3f7 X-BGPX: left X-BGPY: 0px X-ASN: ANIM3D00-NONE-0000-0000-000000000000 X-ASNF: 0 X-ASH: ANIM3D00-NONE-0000-0000-000000000000 X-ASHF: 1 X-AN: 6486DDE0-3EFD-11D4-BA3D-0050DAC68030 X-ANF: 0 X-AP: 6486DDE0-3EFD-11D4-BA3D-0050DAC68030 X-APF: 1 X-AD: C3C52140-4147-11D4-BA3D-0050DAC68030 X-ADF: 0 X-AUTO: X-ASN,X-ASH,X-AN,X-AP,X-AD X-CNT: ; X-Priority: 3 To: X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Re: ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 19:31:35 -0000 --------------Boundary-00=_IWS9QL80000000000000 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Another issue : is ipfw / ipfw2 not working with "fwd" if the computer is acting as a bridge?=0D =0D [bridge /]7# sysctl -a | grep ipfw=0D net.link.ether.bridge_ipfw: 1=0D net.link.ether.bridge_ipfw_drop: 0=0D net.link.ether.bridge_ipfw_collisions: 0=0D net.link.ether.ipfw: 1=0D [bridge /]8#=0D =0D [bridge /]9# ipfw -a l | grep 193.213.153=0D 00010 0 0 fwd 217.156.120.41 ip from 193 213.153.0/24 to any=0D 00011 3805 172520 deny tcp from 193.213.153.0/24 to any =0D [bridge /]10#=0D =0D [bridge /]9# uname -a=0D FreeBSD bridge.something.net 5.1-RELEASE FreeBSD 5.1-RELEASE #5: Wed Aug = 20 01:25:19 EEST 2003 root@bridge.something.net:/usr/src/sys altq/i386/compile/SMP i386=0D [bridge /]10#=0D =0D =0D So, the first rule doesn't work, the second works. Why's that ?=0D =0D =0D Dan Caescu=0D =0D -------Original Message-------=0D =0D From: Michael Sierchio=0D Date: Monday, September 15, 2003 8:36:46 PM=0D To: Sean Hafeez=0D Cc: freebsd-ipfw@freebsd.org=0D Subject: Re: ipfw2=0D =0D Sean Hafeez wrote:=0D > I am having a hard time figuring something out about IPFW2. I am =0D > currently using a built of 4.8 with IPFW and DUMMYNET as a rateshapping= =0D > router. I have tried to build a kernel with the IPFW2 options but then = I =0D > seem to have issues with using DUMMYNET. The ipfw pipe comments give =0D > errors and core dumps. Am I missing something?=0D =0D USING IPFW2 IN FreeBSD-STABLE=0D ipfw2 is standard in FreeBSD CURRENT, whereas FreeBSD STABLE still uses=0D ipfw1 unless the kernel is compiled with options IPFW2, and /sbin/ipfw=0D and /usr/lib/libalias are recompiled with -DIPFW2 and reinstalled (the=0D same effect can be achieved by adding IPFW2=3DTRUE to /etc/make.conf befo= re=0D a buildworld).=0D =0D # echo "IPFW2=3D YES" >> /etc/make.conf=0D # cd /usr/src/lib/libalias=0D # make clean && make && make install && make clean=0D # cd /usr/src/sbin/ipfw=0D # make clean && make && make install && make clean=0D =0D -- =0D =0D "Well," Brahma said, "even after ten thousand explanations, a fool is no=0D wiser, but an intelligent man requires only two thousand five hundred."=0D - The Mahabharata=0D =0D _______________________________________________=0D freebsd-ipfw@freebsd.org mailing list=0D http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw=0D To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"=0D =2E=20 --------------Boundary-00=_IWS9QL80000000000000-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 12:37:02 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD07016A4BF for ; Mon, 15 Sep 2003 12:37:02 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00EA443FE3 for ; Mon, 15 Sep 2003 12:37:02 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h8FJb1kN094321; Mon, 15 Sep 2003 12:37:01 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h8FJb1YH094319; Mon, 15 Sep 2003 12:37:01 -0700 (PDT) (envelope-from rizzo) Date: Mon, 15 Sep 2003 12:37:01 -0700 From: Luigi Rizzo To: "daniel@guitar.ro" Message-ID: <20030915123701.A94252@xorpc.icir.org> References: <3F65F83E.2050908@tenebras.com> <3F661392.000001.01980@COSTI> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3F661392.000001.01980@COSTI>; from daniel@guitar.ro on Mon, Sep 15, 2003 at 10:31:30PM +0300 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 19:37:02 -0000 On Mon, Sep 15, 2003 at 10:31:30PM +0300, daniel@guitar.ro wrote: > Another issue : is ipfw / ipfw2 not working with "fwd" if the computer is > acting as a bridge? no, i think this is documented. I suggest you read the manpage. luigi > [bridge /]7# sysctl -a | grep ipfw > net.link.ether.bridge_ipfw: 1 > net.link.ether.bridge_ipfw_drop: 0 > net.link.ether.bridge_ipfw_collisions: 0 > net.link.ether.ipfw: 1 > [bridge /]8# > > [bridge /]9# ipfw -a l | grep 193.213.153 > 00010 0 0 fwd 217.156.120.41 ip from 193 > 213.153.0/24 to any > 00011 3805 172520 deny tcp from 193.213.153.0/24 to any > [bridge /]10# > > [bridge /]9# uname -a > FreeBSD bridge.something.net 5.1-RELEASE FreeBSD 5.1-RELEASE #5: Wed Aug 20 > 01:25:19 EEST 2003 root@bridge.something.net:/usr/src/sys > altq/i386/compile/SMP i386 > [bridge /]10# > > > So, the first rule doesn't work, the second works. Why's that ? > > > Dan Caescu > > -------Original Message------- > > From: Michael Sierchio > Date: Monday, September 15, 2003 8:36:46 PM > To: Sean Hafeez > Cc: freebsd-ipfw@freebsd.org > Subject: Re: ipfw2 > > Sean Hafeez wrote: > > I am having a hard time figuring something out about IPFW2. I am > > currently using a built of 4.8 with IPFW and DUMMYNET as a rateshapping > > router. I have tried to build a kernel with the IPFW2 options but then I > > seem to have issues with using DUMMYNET. The ipfw pipe comments give > > errors and core dumps. Am I missing something? > > USING IPFW2 IN FreeBSD-STABLE > ipfw2 is standard in FreeBSD CURRENT, whereas FreeBSD STABLE still uses > ipfw1 unless the kernel is compiled with options IPFW2, and /sbin/ipfw > and /usr/lib/libalias are recompiled with -DIPFW2 and reinstalled (the > same effect can be achieved by adding IPFW2=TRUE to /etc/make.conf before > a buildworld). > > # echo "IPFW2= YES" >> /etc/make.conf > # cd /usr/src/lib/libalias > # make clean && make && make install && make clean > # cd /usr/src/sbin/ipfw > # make clean && make && make install && make clean > > -- > > "Well," Brahma said, "even after ten thousand explanations, a fool is no > wiser, but an intelligent man requires only two thousand five hundred." > - The Mahabharata > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > . > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 12:57:06 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EC0416A4BF for ; Mon, 15 Sep 2003 12:57:06 -0700 (PDT) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5537443F85 for ; Mon, 15 Sep 2003 12:57:05 -0700 (PDT) (envelope-from ck@cksoft.de) Received: from localhost (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 493621FF90A; Mon, 15 Sep 2003 19:08:24 +0200 (CEST) Received: from vesihiisi.cksoft.de (unknown [192.168.64.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by transport.cksoft.de (Postfix) with ESMTP id ADE061FF8FB; Mon, 15 Sep 2003 19:08:20 +0200 (CEST) Received: from vesihiisi.cksoft.de (localhost [127.0.0.1]) by vesihiisi.cksoft.de (Postfix) with ESMTP id 2FC08225C; Mon, 15 Sep 2003 19:08:19 +0200 (CEST) Received: by vesihiisi.cksoft.de (Postfix, from userid 1000) id 4FE59224B; Mon, 15 Sep 2003 19:08:17 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by vesihiisi.cksoft.de (Postfix) with ESMTP id 4E4E721C4; Mon, 15 Sep 2003 19:08:17 +0200 (CEST) Date: Mon, 15 Sep 2003 19:08:17 +0200 (CEST) From: Christian Kratzer To: Martin Bartelds In-Reply-To: <200309151809.4842238.6@btsoftware.com> Message-ID: <20030915190407.J5252@vesihiisi.cksoft.de> References: <200309151809.4842238.6@btsoftware.com> X-Spammer-Kill-Ratio: 75% MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300-cksoft-02bz on vesihiisi.cksoft.de X-Virus-Scanned: by AMaViS snapshot-20020300 cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW/routing wishes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-isp@freebsd.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 19:57:06 -0000 Hi, On Mon, 15 Sep 2003, Martin Bartelds wrote: [snipp] > The IPFW Fwd command does (as far as I know) only change the > next hop, not the (already chosen) interface how to come there. > And that's the problem. The interface information is kept one > level higher as where IPFW operates. The Fwd command is > intended to "run" on the incoming packets (which will be subject > to the FreeBSD routing actions lateron), wheres I do have to > change the interface of the outgoing packets (which do not > enter the FreeBSD routing system again). > > My original request is effectively to have the possibility to do > an additional routing action on outgoing packets. I googled around and immediately hit a past discussion on this list http://www.google.de/search?q=freebsd+ipfw+policy+routing http://docs.freebsd.org/mail/archive/2002/freebsd-ipfw/20020901.freebsd-ipfw.html http://docs.freebsd.org/cgi/getmsg.cgi?fetch=23701+0+archive/2002/freebsd-ipfw/20020901.freebsd-ipfw one of the posters recommends applying a forward rule to packets incoming on the inside interface. This way you can still modify the next hop and thus the interface they will leave. Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Open Software Solutions, Network Security Fax: +49 7452 889-136 FreeBSD spoken here! From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 14:57:43 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18F3F16A4BF for ; Mon, 15 Sep 2003 14:57:43 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8B7643FE3 for ; Mon, 15 Sep 2003 14:57:39 -0700 (PDT) (envelope-from ru@sunbay.com) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h8FLvWpI028775 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 16 Sep 2003 00:57:33 +0300 (EEST) (envelope-from ru@sunbay.com) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h8FLvSMU028765; Tue, 16 Sep 2003 00:57:28 +0300 (EEST) (envelope-from ru) Date: Tue, 16 Sep 2003 00:57:28 +0300 From: Ruslan Ermilov To: Martin Bartelds Message-ID: <20030915215728.GD14510@sunbay.com> References: <200309151438.1937858.6@btsoftware.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3Gf/FFewwPeBMqCJ" Content-Disposition: inline In-Reply-To: <200309151438.1937858.6@btsoftware.com> User-Agent: Mutt/1.5.4i cc: "ipfw@freebsd.org" Subject: Re: IPFW/routing wishes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 21:57:43 -0000 --3Gf/FFewwPeBMqCJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 15, 2003 at 02:38:17PM +0200, Martin Bartelds wrote: > What I do seriously mis in FreeBSD, is the possibilty to have NATD active= =20 > on more then 1 network address/card and do packet routing based=20 > on packet information. >=20 I have a config with two ISPs, each providing us with a small block of IP addresses, and I have the solution that: - does source-based routing with the help of "ipfw fwd", - provides multi-NAT for internal hosts, destination-based. The last part is done by allocating two distinct IP addresses, one from each block, and "routing" the packets to a corresponding natd(8) process, like this: In /etc/rc.conf: natd_enable=3D"YES" natd_interface=3D"x.x.x.x" natd2_enable=3D"YES" natd2_interface=3D"y.y.y.y" natd2_flags=3D"-p natd2" In /etc.rc.firewall: # EXTERNAL INTERFACE RULESET # Spoof protection. [...] # NAT. ${fwcmd} add divert natd2 ip from ${inet} to ${isp2_net} out ${fwcmd} add divert natd2 ip from any to y.y.y.y in ${fwcmd} add deny ip from any to y.y.y.y in ${fwcmd} add divert natd ip from ${inet} to any out ${fwcmd} add divert natd ip from any to x.x.x.x in ${fwcmd} add deny ip from any to x.x.x.x in Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software Ltd, ru@FreeBSD.org FreeBSD committer --3Gf/FFewwPeBMqCJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/ZjXIUkv4P6juNwoRAlSGAJsE2cLJytsHVdpShL6yiSeIRCzALwCfeTdK 6AwOYafAiu0baEP0gaepK9Q= =QDjF -----END PGP SIGNATURE----- --3Gf/FFewwPeBMqCJ-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 15:49:50 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA8A416A4B3 for ; Mon, 15 Sep 2003 15:49:50 -0700 (PDT) Received: from webmail.akwireless.net (webmail.akwireless.net [192.189.218.15]) by mx1.FreeBSD.org (Postfix) with SMTP id 695E043F85 for ; Mon, 15 Sep 2003 15:49:50 -0700 (PDT) (envelope-from dee@akwireless.net) Received: (qmail 10936 invoked from network); 15 Sep 2003 17:23:08 -0000 Received: from unknown (HELO 192.168.0.3) (127.0.0.1) by 0 with SMTP; 15 Sep 2003 17:23:08 -0000 From: "W.D. McKinney" To: freebsd-ipfw@freebsd.org Content-Type: text/plain Organization: Message-Id: <1063646708.9516.1134.camel@papa.wdm.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.3 Date: 15 Sep 2003 09:25:08 -0800 Content-Transfer-Encoding: 7bit Subject: test post X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 22:49:51 -0000 Point this to /dev/null From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 16 11:58:35 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E6A016A4B3 for ; Tue, 16 Sep 2003 11:58:35 -0700 (PDT) Received: from mail.foremind.com (mail.inform.com.hk [206.220.132.130]) by mx1.FreeBSD.org (Postfix) with SMTP id 782A643FB1 for ; Tue, 16 Sep 2003 11:58:31 -0700 (PDT) (envelope-from achan@achan.com) Received: (qmail 5382 invoked by uid 0); 16 Sep 2003 18:58:29 -0000 Received: from unknown (HELO mickey) (achan@achan.com@203.169.179.167) by mail.inform.com.hk with SMTP; 16 Sep 2003 18:58:29 -0000 Message-ID: <000c01c37c84$84017080$4d00a8c0@mickey> From: "Andrew Chan" To: Date: Wed, 17 Sep 2003 02:58:28 +0800 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: ARP not working on interface that does not have an IP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 18:58:35 -0000 My description is lengthy but believe me, it is a "simple" problem. Greetings, I am trying to insert a FreeBSD Bridging Firewall into an existing = office broadband network. [[ ADSL modem / router (double as a NAT box) ]] <=3D=3D=3D> [[ "rl0" = FreeBSD "rl1" ]] <=3D=3D=3D> [[ office LAN switch ]] "rl0" is connected to the outside ADSL box and "rl1" is connected to the = internal office LAN switch The ADSL box has an IP of 192.168.0.1 and is the default router for = everybody. "rl1" has an IP of 192.168.0.2 while "rl0" does not have an = IP configured. I have 99% of everything working, including the passing of ARP (I am = running ipfw2 on 5.1R). The PCs on the office internal LAN can connect = to the outside world with no problem whatsoever. The only problem is "rl0" doesn't seem to be able to look up the MAC = address of 192.168.0.1 (the ADSL router) through ARP and that means any = TCP/IP connections I initiated on the FreeBSD box to the outside world = would fail. ? (192.168.0.1 at (incomplete) on rl1 [ethernet] Looks like the system is expecting the ARP entry to come from rl1 while = it should have been from rl0. I ran tcpdump on "rl0" and saw both the outgoing ARP requests from the = FreeBSD box and the ARP replies from 192.168.0.1. It is just the FreeBSD = box never seem to get the ARP replies. This problem stays the same even = when I run an "open" firewall so I am quite sure it is not something = about the rules. If I give "rl0" an IP address and leave "rl1" without one then the = problem is reversed, i.e. "rl1" cannot get any ARP stuff going. I also tried to give "rl0" an IP address of 192.168.0.3 but "ifconfig" = wouldn't take it complaining about: ifconfig: ioctl (SIOCAIFADDR): File exists I also tried to give "rl0" an IP address from another subnet (just to = fake it) say 192.168.1.1 but then FreeBSD complained about the ARP = replies of 192.168.0.1 were coming from the "wrong interface". It was = expecting it to come from "rl1" (who is in the network range of = 192.168.0.0) instead of from "rl0" (who is NOT in the networking range = of 192.168.0.0). I think I exhausted my experience here and would really appreciate some = help. Many thanks! Andrew From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 16 23:00:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 368A016A4B3 for ; Tue, 16 Sep 2003 23:00:26 -0700 (PDT) Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3472A43F3F for ; Tue, 16 Sep 2003 23:00:25 -0700 (PDT) (envelope-from nick@rogness.net) Received: from skywalker.rogness.net (localhost [127.0.0.1]) by skywalker.rogness.net (8.12.5/8.12.5) with ESMTP id h8H66jVs092935 for ; Wed, 17 Sep 2003 00:06:45 -0600 (MDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost)h8H66ia8092932 for ; Wed, 17 Sep 2003 00:06:45 -0600 (MDT) X-Authentication-Warning: skywalker.rogness.net: nick owned process doing -bs Date: Wed, 17 Sep 2003 00:06:43 -0600 (MDT) From: Nick Rogness To: freebsd-ipfw@freebsd.org Message-ID: <20030916235808.X92689-100000@skywalker.rogness.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Divert code X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 06:00:26 -0000 Without knowing much about the kernel ipfw divert code, what would it take to make it skip the ipfw divert rule if the app that's listening on that port dies? Besides 'a miracle' or an 'act of god' =) Some general ideas or thoughts would be nice. The reason I ask is I've added a FreeBSD divert hook into the snort_inline code which reads from a divert socket. If snort_inline dies, the gateway dies (which is understandable) :-( Thanks for your time. Nick Rogness - How many people here have telekenetic powers? Raise my hand. -Emo Philips From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 17 08:08:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE53C16A4B3 for ; Wed, 17 Sep 2003 08:08:49 -0700 (PDT) Received: from mout2.freenet.de (mout2.freenet.de [194.97.50.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id A25C043FE3 for ; Wed, 17 Sep 2003 08:08:48 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.138] (helo=mx0.freenet.de) by mout2.freenet.de with asmtp (Exim 4.22) id 19zdvD-0006ur-6D for freebsd-ipfw@freebsd.org; Wed, 17 Sep 2003 17:08:47 +0200 Received: from pd90559e1.dip.t-dialin.net ([217.5.89.225] helo=spotteswoode.dnsalias.org) by mx0.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.23 #2) id 19zdvC-0000iM-VA for freebsd-ipfw@freebsd.org; Wed, 17 Sep 2003 17:08:47 +0200 Received: (qmail 57786 invoked by uid 0); 17 Sep 2003 15:09:08 -0000 Date: 17 Sep 2003 17:09:07 +0200 Message-ID: From: "Clemens Fischer" To: "Nick Rogness" In-Reply-To: <20030916235808.X92689-100000@skywalker.rogness.net> (Nick Rogness's message of "Wed, 17 Sep 2003 00:06:43 -0600 (MDT)") References: <20030916235808.X92689-100000@skywalker.rogness.net> User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org Subject: Re: Divert code X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 15:08:49 -0000 * Nick Rogness: > The reason I ask is I've added a FreeBSD divert hook into the > snort_inline code which reads from a divert socket. If snort_inline > dies, the gateway dies (which is understandable) :-( sorry, could you elaborate on this a little? clemens From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 17 08:52:59 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AAC416A4B3 for ; Wed, 17 Sep 2003 08:52:59 -0700 (PDT) Received: from cultdeadsheep.org (charon.cultdeadsheep.org [80.65.226.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1B1643FE1 for ; Wed, 17 Sep 2003 08:52:55 -0700 (PDT) (envelope-from sheepkiller@cultdeadsheep.org) Received: (qmail 84363 invoked by uid 85); 17 Sep 2003 17:52:52 +0200 Received: from sheepkiller@cultdeadsheep.org by goofy.cultdeadsheep.org by uid 82 with qmail-scanner-1.20rc2 ( Clear:RC:1:. Processed in 0.04231 secs); 17 Sep 2003 15:52:52 -0000 Received: from unknown (HELO lucifer.cultdeadsheep.org) (sheepkiller@cultdeadsheep.org@192.168.0.2) by goofy.cultdeadsheep.org with AES256-SHA encrypted SMTP; 17 Sep 2003 17:52:51 +0200 Date: Wed, 17 Sep 2003 17:52:49 +0200 From: Clement Laforet To: Nick Rogness Message-Id: <20030917175249.4df78d7d.sheepkiller@cultdeadsheep.org> In-Reply-To: <20030916235808.X92689-100000@skywalker.rogness.net> References: <20030916235808.X92689-100000@skywalker.rogness.net> Organization: tH3 cUlt 0f tH3 d3@d sH33p X-Mailer: Sylpheed version 0.9.4 (GTK+ 1.2.10; i386-portbld-freebsd5.1) X-Face: ._cVVRDn#-2((lnfi^P7CoD4htI$4+#G/G)!w|,}H5yK~%(3-C.JlEYbOjJGFwJkt*7N^%z jYeu[;}]}F"3}l5R'l"X0HbvT^D\Q&%deCo)MayY`);TO Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: Divert code X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 15:52:59 -0000 On Wed, 17 Sep 2003 00:06:43 -0600 (MDT) Nick Rogness wrote: > > Without knowing much about the kernel ipfw divert code, what would it > take to make it skip the ipfw divert rule if the app that's listening > on that port dies? Besides 'a miracle' or an 'act of god' =) Some > general ideas or thoughts would be nice. you need to write a daemon which removes divert rules, or, simply use supervise. > The reason I ask is I've added a FreeBSD divert hook into the > snort_inline code which reads from a divert socket. If snort_inline > dies, the gateway dies (which is understandable) :-( in fact, all diverted packets are sent to a divert socket, and the userland app reads (modifies) and reinjects packets into IP stack. if your daemon dies, packets will never be reinjected. If I were you, I would use netgraph (se ng_tee code) or bpf to implement this kind of daemon. regards, clem From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 17 12:52:43 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B1C516A4BF for ; Wed, 17 Sep 2003 12:52:43 -0700 (PDT) Received: from mout1.freenet.de (mout1.freenet.de [194.97.50.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B8A643FBF for ; Wed, 17 Sep 2003 12:52:42 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.135] (helo=mx2.freenet.de) by mout1.freenet.de with asmtp (Exim 4.22) id 19ziLx-0005Wg-80 for freebsd-ipfw@freebsd.org; Wed, 17 Sep 2003 21:52:41 +0200 Received: from p3e9baadf.dip.t-dialin.net ([62.155.170.223] helo=spotteswoode.dnsalias.org) by mx2.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.23 #2) id 19ziLw-00050x-RZ for freebsd-ipfw@freebsd.org; Wed, 17 Sep 2003 21:52:41 +0200 Received: (qmail 2340 invoked by uid 0); 17 Sep 2003 19:53:02 -0000 Date: 17 Sep 2003 21:52:40 +0200 Message-ID: From: "Clemens Fischer" To: "Clement Laforet" In-Reply-To: <20030917175249.4df78d7d.sheepkiller@cultdeadsheep.org> (Clement Laforet's message of "Wed, 17 Sep 2003 17:52:49 +0200") References: <20030916235808.X92689-100000@skywalker.rogness.net> <20030917175249.4df78d7d.sheepkiller@cultdeadsheep.org> User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org Subject: Re: Divert code X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 19:52:43 -0000 * Clement Laforet: > On Wed, 17 Sep 2003 00:06:43 -0600 (MDT) > Nick Rogness wrote: > >> Without knowing much about the kernel ipfw divert code, what would it >> take to make it skip the ipfw divert rule if the app that's listening >> on that port dies? Besides 'a miracle' or an 'act of god' =) Some >> general ideas or thoughts would be nice. > > you need to write a daemon which removes divert rules, or, simply > use supervise. the supervise from djbs daemontools? how would this help? clemens From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 17 12:56:34 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72DEE16A4B3 for ; Wed, 17 Sep 2003 12:56:34 -0700 (PDT) Received: from cultdeadsheep.org (charon.cultdeadsheep.org [80.65.226.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0306543F75 for ; Wed, 17 Sep 2003 12:56:32 -0700 (PDT) (envelope-from sheepkiller@cultdeadsheep.org) Received: (qmail 6712 invoked by uid 85); 17 Sep 2003 21:56:30 +0200 Received: from sheepkiller@cultdeadsheep.org by goofy.cultdeadsheep.org by uid 82 with qmail-scanner-1.20rc2 ( Clear:RC:1:. Processed in 0.040016 secs); 17 Sep 2003 19:56:30 -0000 Received: from unknown (HELO lucifer.cultdeadsheep.org) (sheepkiller@cultdeadsheep.org@192.168.0.2) by goofy.cultdeadsheep.org with AES256-SHA encrypted SMTP; 17 Sep 2003 21:56:29 +0200 Date: Wed, 17 Sep 2003 21:56:28 +0200 From: Clement Laforet To: "Clemens Fischer" Message-Id: <20030917215628.44bd61f7.sheepkiller@cultdeadsheep.org> In-Reply-To: References: <20030916235808.X92689-100000@skywalker.rogness.net> <20030917175249.4df78d7d.sheepkiller@cultdeadsheep.org> Organization: tH3 cUlt 0f tH3 d3@d sH33p X-Mailer: Sylpheed version 0.9.4 (GTK+ 1.2.10; i386-portbld-freebsd5.1) X-Face: ._cVVRDn#-2((lnfi^P7CoD4htI$4+#G/G)!w|,}H5yK~%(3-C.JlEYbOjJGFwJkt*7N^%z jYeu[;}]}F"3}l5R'l"X0HbvT^D\Q&%deCo)MayY`);TO Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: Divert code X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 19:56:34 -0000 On 17 Sep 2003 21:52:40 +0200 "Clemens Fischer" wrote: > > > > you need to write a daemon which removes divert rules, or, simply > > use supervise. > > the supervise from djbs daemontools? how would this help? > > clemens just to restart the daemons when it crashes ;-) you can catch signals too, to remove divert rules. Iy quite dirty, but it works ;) clem From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 17 18:11:43 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C365D16A4B3 for ; Wed, 17 Sep 2003 18:11:43 -0700 (PDT) Received: from phoenix.gargantuan.com (rrcs-se-24-73-171-238.biz.rr.com [24.73.171.238]) by mx1.FreeBSD.org (Postfix) with ESMTP id B33B743F85 for ; Wed, 17 Sep 2003 18:11:42 -0700 (PDT) (envelope-from michael@gargantuan.com) Received: from 127.0.0.1 (localhost.gargantuan.com [127.0.0.1]) by spamassassin-injector (Postfix) with SMTP id 986732A2 for ; Thu, 18 Sep 2003 01:11:41 +0000 (GMT) Received: from cyclops.gargantuan.com (cyclops.gargantuan.com [3ffe:c00:8034:a00::18]) by phoenix.gargantuan.com (Postfix) with ESMTP id 01495261 for ; Wed, 17 Sep 2003 21:11:30 -0400 (EDT) From: "Michael W. Oliver" To: freebsd-ipfw@freebsd.org Date: Wed, 17 Sep 2003 21:11:20 -0400 User-Agent: KMail/1.5.3 X-Personal-Email: michael@gargantuan.com X-WWW-Site: http://michael.gargantuan.com X-GPG-Public-Key: $WWW-Site/gnupg/pubkey.asc X-Home-Phone: +1-863-816-8091 X-Mobile-Phone: +1-863-738-2334 X-Home-Address: 8008 Apache Lane, Lakeland, FL, US 33810-2172 MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Description: clearsigned data Content-Disposition: inline Message-Id: <200309172111.28909.michael@gargantuan.com> X-Spam-Status: No, hits=-2.1 required=5.0 tests=AWL,PGP_SIGNATURE,USER_AGENT_KMAIL autolearn=ham version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) Subject: ipfw, pipes, queues, and IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: michael@gargantuan.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 01:11:43 -0000 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =46olks, I am looking for a little sanity check here. I have a gif tunnel set up fo= r=20 IPv6, and I am passing protocol 41 through the ipfw pipe/queue mechanism=20 to/from my tunnel provider (part of a grander pipe/queue scheme due to my=20 new Vonage service :). A couple of questions: 1) Am I correct in assuming that all IPv6 traffic that I am permitting via= =20 ip6fw is governed by the pipe/queue rules that I have configured for=20 protocol 41 in ipfw? 2) If #1 is true, is there a way for me to use pipes/queues within ip6fw=20 itself to discriminate by type of IPv6 traffic? Thanks for the info! =2D --=20 Mike perl -e 'print unpack("u","88V]N=3D&%C=3D\"!I;F9O(&EN(&AE861E Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 643F816A4E1 for ; Thu, 18 Sep 2003 04:56:34 -0700 (PDT) Received: from mail.1wisp.com (uslec-66-255-6-131.cust.uslec.net [66.255.6.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56CC243FAF for ; Thu, 18 Sep 2003 04:56:30 -0700 (PDT) (envelope-from tscrum@1wisp.com) Received: from 1wispadmin ([192.168.1.94]) (authenticated) by mail.1wisp.com (8.11.6/8.11.6) with ESMTP id h8IBuTD15751 for ; Thu, 18 Sep 2003 07:56:29 -0400 Message-ID: <010401c37ddb$9f1f8a20$5e01a8c0@1wispadmin> From: "Thomas S. Crum - 1WISP, Inc." To: Date: Thu, 18 Sep 2003 07:54:30 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: throttling bandwidth on different ports X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 11:56:34 -0000 Hi List, I thank anyone, in advance, who might offer some light to my question below. At our office, we have a T1 circuit that I am trying to divy up bandwidth as you see below. I would like to give a greater amount of pipe to "web" associated ports and allow the rest of the traffic to fall into a default queue, both up and down. When I run this config it seems that the "web" associated ports are simply falling into the default queue, which of course slows everything to a crawl since the default queues are so small. Is it possible to queue tcp traffic as I am attempting to do? Can anyone give me some insight as to why this is happening and offer a solution that will accomplish what I am attempting. I am running dummynet as a bridge behind my router and in front of everyhting elese on freebsd. My config is below. ################### # TOM'S PLAYGROUND # DO THIS CAUSE THEY SAY ITS GOOD add check-state # BLOCK BAD IP'S #add deny ip from 192.168.1.27 to any #add deny ip from any to 192.168.1.27 # Keep those nasty viruses, worms and critters away. add deny udp from any to any 8998 add deny tcp from any to any 135 add deny udp from any to any 69 add deny tcp from any to any 4444 add deny tcp from any to any 707 add deny tcp from any to any 137 add deny udp from any to any 137 add deny tcp from any to any 138 add deny udp from any to any 138 add deny tcp from any to any 139 add deny udp from any to any 139 add deny tcp from any to any 593 add deny udp from any to any 593 # GIVE ME FULL PIPE WHEN SSH FROM OUTSIDE add allow tcp from 66.255.6.221 to any 22 add allow tcp from any to 66.255.6.221 22 # ALLOW LOCAL IP'S TO PASS W/ EACH OTHER add allow ip from 192.168.1.0/24 to 192.168.1.0/24 add allow ip from 192.168.1.0/24 to 66.255.6.0/24 add allow ip from 66.255.6.0/24 to 66.255.6.0/24 add allow ip from 66.255.6.0/24 to 192.168.1.0/24 # MAILSERVER "DUPLEX" add queue 10 ip from any to 66.255.6.131 add queue 11 ip from 66.255.6.131 to any queue 10 config weight 1 pipe 10 mask src-ip 0xffffffff queue 11 config weight 1 pipe 10 mask dst-ip 0xffffffff pipe 10 config bw 50Kbit/s # EVERYBODY "DOWN 80, 443 AND 53 PORT" 80/20 add queue 30 tcp from any to 192.168.1.0/24 80 add queue 30 tcp from any to 66.255.6.0/24 80 add queue 30 tcp from any to 192.168.1.0/24 53 add queue 30 tcp from any to 66.255.6.0/24 53 add queue 30 udp from any to 192.168.1.0/24 53 add queue 30 udp from any to 66.255.6.0/24 53 add queue 30 tcp from any to 192.168.1.0/24 443 add queue 30 tcp from any to 66.255.6.0/24 443 add queue 30 udp from any to 192.168.1.0/24 443 add queue 30 udp from any to 66.255.6.0/24 443 queue 30 config weight 1 pipe 30 mask dst-ip 0xffffffff pipe 30 config bw 960Kbit/s # EVERYBODY "DOWN ALL PORTS" add queue 31 ip from any to 192.168.1.0/24 add queue 31 ip from any to 66.255.6.0/24 queue 31 config weight 1 pipe 31 mask dst-ip 0xffffffff pipe 31 config bw 240Kbit/s # EVERYBODY "UP 80, 443 AND 53 PORT" 60/40 add queue 32 tcp from 192.168.1.0/24 80 to any add queue 32 tcp from 66.255.6.0/24 80 to any add queue 32 tcp from 192.168.1.0/24 53 to any add queue 32 tcp from 66.255.6.0/24 53 to any add queue 32 udp from 192.168.1.0/24 53 to any add queue 32 udp from 66.255.6.0/24 53 to any add queue 32 tcp from 192.168.1.0/24 443 to any add queue 32 tcp from 66.255.6.0/24 443 to any add queue 32 udp from 192.168.1.0/24 443 to any add queue 32 udp from 66.255.6.0/24 443 to any queue 32 config weight 1 pipe 32 mask src-ip 0xffffffff pipe 32 config bw 150Kbit/s # EVERYBODY "UP ALL PORTS" add queue 33 ip from 192.168.1.0/24 to any add queue 33 ip from 66.255.6.0/24 to any queue 33 config weight 1 pipe 33 mask src-ip 0xffffffff pipe 33 config bw 100Kbit/s # THIS SHOULD MAKE DHCP WORK? PS. IT DID. add queue 250 ip from any to any queue 250 config weight 1 pipe 250 mask src-ip 0xffffffff pipe 250 config bw 10Kbit/s From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 18 05:49:13 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A2DC16A4B3 for ; Thu, 18 Sep 2003 05:49:13 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55A8B43FBF for ; Thu, 18 Sep 2003 05:49:12 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.3) with ESMTP id h8ICn9sd058731; Thu, 18 Sep 2003 05:49:09 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id h8ICn9Hp058730; Thu, 18 Sep 2003 05:49:09 -0700 (PDT) (envelope-from rizzo) Date: Thu, 18 Sep 2003 05:49:09 -0700 From: Luigi Rizzo To: "Thomas S. Crum - 1WISP, Inc." Message-ID: <20030918054908.A58676@xorpc.icir.org> References: <010401c37ddb$9f1f8a20$5e01a8c0@1wispadmin> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <010401c37ddb$9f1f8a20$5e01a8c0@1wispadmin>; from tscrum@1wisp.com on Thu, Sep 18, 2003 at 07:54:30AM -0400 cc: freebsd-ipfw@freebsd.org Subject: Re: throttling bandwidth on different ports X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 12:49:13 -0000 if you want per-service differentiation then you should have multiple queues (with different weights) point to the mask on the queue to include the port numbers. Something like this (ipfw2 syntax) # do the address check only once ipfw -c add 1000 skipt0 1010 not src-ip 192.168.1.0/24,66.255.6.0/24 ipfw -c add 1000 queue 30 proto tcp src-port 80,443 // web ipfw -c add 1000 queue 31 src-port 53 // dns ipfw -c add 1000 queue 32 // all the rest from these hosts ipfw -c add 1010 ... // other traffic # you can have different masks on the queues ipfw queue 30 config weight 10 pipe 1 mask src-ip- 0xffffffff ipfw queue 31 config weight 5 pipe 1 ipfw queue 32 config weight 1 pipe 1 mask src-ip 0x000000ff ipfw pipe 1 config bw 200kbit/s cheers luigi On Thu, Sep 18, 2003 at 07:54:30AM -0400, Thomas S. Crum - 1WISP, Inc. wrote: > Hi List, > > I thank anyone, in advance, who might offer some light to my question below. > > At our office, we have a T1 circuit that I am trying to divy up bandwidth as > you see below. I would like to give a greater amount of pipe to "web" > associated ports and allow the rest of the traffic to fall into a default > queue, both up and down. > > When I run this config it seems that the "web" > associated ports are simply falling into the default queue, which of course > slows everything to a crawl since the default queues are so small. > > Is it possible to queue tcp traffic as I am attempting to do? > > Can anyone give me some insight as to why this is happening and offer a > solution that will accomplish what I am attempting. > > I am running dummynet as a bridge behind my router and in front of > everyhting elese on freebsd. My config is below. > > ################### > > # TOM'S PLAYGROUND > > # DO THIS CAUSE THEY SAY ITS GOOD > add check-state > > # BLOCK BAD IP'S > #add deny ip from 192.168.1.27 to any > #add deny ip from any to 192.168.1.27 > > # Keep those nasty viruses, worms and critters away. > add deny udp from any to any 8998 > add deny tcp from any to any 135 > add deny udp from any to any 69 > add deny tcp from any to any 4444 > add deny tcp from any to any 707 > add deny tcp from any to any 137 > add deny udp from any to any 137 > add deny tcp from any to any 138 > add deny udp from any to any 138 > add deny tcp from any to any 139 > add deny udp from any to any 139 > add deny tcp from any to any 593 > add deny udp from any to any 593 > > # GIVE ME FULL PIPE WHEN SSH FROM OUTSIDE > add allow tcp from 66.255.6.221 to any 22 > add allow tcp from any to 66.255.6.221 22 > > # ALLOW LOCAL IP'S TO PASS W/ EACH OTHER > add allow ip from 192.168.1.0/24 to 192.168.1.0/24 > add allow ip from 192.168.1.0/24 to 66.255.6.0/24 > add allow ip from 66.255.6.0/24 to 66.255.6.0/24 > add allow ip from 66.255.6.0/24 to 192.168.1.0/24 > > # MAILSERVER "DUPLEX" > add queue 10 ip from any to 66.255.6.131 > add queue 11 ip from 66.255.6.131 to any > queue 10 config weight 1 pipe 10 mask src-ip 0xffffffff > queue 11 config weight 1 pipe 10 mask dst-ip 0xffffffff > pipe 10 config bw 50Kbit/s > > # EVERYBODY "DOWN 80, 443 AND 53 PORT" 80/20 > add queue 30 tcp from any to 192.168.1.0/24 80 > add queue 30 tcp from any to 66.255.6.0/24 80 > add queue 30 tcp from any to 192.168.1.0/24 53 > add queue 30 tcp from any to 66.255.6.0/24 53 > add queue 30 udp from any to 192.168.1.0/24 53 > add queue 30 udp from any to 66.255.6.0/24 53 > add queue 30 tcp from any to 192.168.1.0/24 443 > add queue 30 tcp from any to 66.255.6.0/24 443 > add queue 30 udp from any to 192.168.1.0/24 443 > add queue 30 udp from any to 66.255.6.0/24 443 > queue 30 config weight 1 pipe 30 mask dst-ip 0xffffffff > pipe 30 config bw 960Kbit/s > > # EVERYBODY "DOWN ALL PORTS" > add queue 31 ip from any to 192.168.1.0/24 > add queue 31 ip from any to 66.255.6.0/24 > queue 31 config weight 1 pipe 31 mask dst-ip 0xffffffff > pipe 31 config bw 240Kbit/s > > # EVERYBODY "UP 80, 443 AND 53 PORT" 60/40 > add queue 32 tcp from 192.168.1.0/24 80 to any > add queue 32 tcp from 66.255.6.0/24 80 to any > add queue 32 tcp from 192.168.1.0/24 53 to any > add queue 32 tcp from 66.255.6.0/24 53 to any > add queue 32 udp from 192.168.1.0/24 53 to any > add queue 32 udp from 66.255.6.0/24 53 to any > add queue 32 tcp from 192.168.1.0/24 443 to any > add queue 32 tcp from 66.255.6.0/24 443 to any > add queue 32 udp from 192.168.1.0/24 443 to any > add queue 32 udp from 66.255.6.0/24 443 to any > queue 32 config weight 1 pipe 32 mask src-ip 0xffffffff > pipe 32 config bw 150Kbit/s > > # EVERYBODY "UP ALL PORTS" > add queue 33 ip from 192.168.1.0/24 to any > add queue 33 ip from 66.255.6.0/24 to any > queue 33 config weight 1 pipe 33 mask src-ip 0xffffffff > pipe 33 config bw 100Kbit/s > > # THIS SHOULD MAKE DHCP WORK? PS. IT DID. > add queue 250 ip from any to any > queue 250 config weight 1 pipe 250 mask src-ip 0xffffffff > pipe 250 config bw 10Kbit/s > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 19 06:33:46 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A71F116A4B3 for ; Fri, 19 Sep 2003 06:33:46 -0700 (PDT) Received: from web12707.mail.yahoo.com (web12707.mail.yahoo.com [216.136.173.244]) by mx1.FreeBSD.org (Postfix) with SMTP id 157CA43F3F for ; Fri, 19 Sep 2003 06:33:44 -0700 (PDT) (envelope-from dsurovtsev@yahoo.com) Message-ID: <20030919133343.94924.qmail@web12707.mail.yahoo.com> Received: from [217.27.144.5] by web12707.mail.yahoo.com via HTTP; Fri, 19 Sep 2003 06:33:43 PDT Date: Fri, 19 Sep 2003 06:33:43 -0700 (PDT) From: dmitry surovtsev To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: ARP not working on interface that does not have an IP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 13:33:46 -0000 Try to give rl0 and ADSL ip addresses from the same net, i.e. 192.168.1.1 and 192.168.1.2. rl1 may remain 192.168.0.2. as well, PCsof your LAN should have 192.168.0.2 as default gw. Subject: ARP not working on interface that does not have an IP To: Message-ID: <000c01c37c84$84017080$4d00a8c0@mickey> Content-Type: text/plain; charset="Windows-1252" My description is lengthy but believe me, it is a "simple" problem. Greetings, I am trying to insert a FreeBSD Bridging Firewall into an existing office broadband network. [[ ADSL modem / router (double as a NAT box) ]] <===> [[ "rl0" FreeBSD "rl1" ]] <===> [[ office LAN switch ]] "rl0" is connected to the outside ADSL box and "rl1" is connected to the internal office LAN switch The ADSL box has an IP of 192.168.0.1 and is the default router for everybody. "rl1" has an IP of 192.168.0.2 while "rl0" does not have an IP configured. I have 99% of everything working, including the passing of ARP (I am running ipfw2 on 5.1R). The PCs on the office internal LAN can connect to the outside world with no problem whatsoever. The only problem is "rl0" doesn't seem to be able to look up the MAC address of 192.168.0.1 (the ADSL router) through ARP and that means any TCP/IP connections I initiated on the FreeBSD box to the outside world would fail. ? (192.168.0.1 at (incomplete) on rl1 [ethernet] Looks like the system is expecting the ARP entry to come from rl1 while it should have been from rl0. I ran tcpdump on "rl0" and saw both the outgoing ARP requests from the FreeBSD box and the ARP replies from 192.168.0.1. It is just the FreeBSD box never seem to get the ARP replies. This problem stays the same even when I run an "open" firewall so I am quite sure it is not something about the rules. If I give "rl0" an IP address and leave "rl1" without one then the problem is reversed, i.e. "rl1" cannot get any ARP stuff going. I also tried to give "rl0" an IP address of 192.168.0.3 but "ifconfig" wouldn't take it complaining about: ifconfig: ioctl (SIOCAIFADDR): File exists I also tried to give "rl0" an IP address from another subnet (just to fake it) say 192.168.1.1 but then FreeBSD complained about the ARP replies of 192.168.0.1 were coming from the "wrong interface". It was expecting it to come from "rl1" (who is in the network range of 192.168.0.0) instead of from "rl0" (who is NOT in the networking range of 192.168.0.0). I think I exhausted my experience here and would really appreciate some help. Many thanks! Andrew __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 19 08:30:22 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6792D16A4B3 for ; Fri, 19 Sep 2003 08:30:22 -0700 (PDT) Received: from mout0.freenet.de (mout0.freenet.de [194.97.50.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 33AAB43FD7 for ; Fri, 19 Sep 2003 08:30:20 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.136] (helo=mx3.freenet.de) by mout0.freenet.de with asmtp (Exim 4.23) id 1A0ND9-0001NX-1Q for freebsd-ipfw@freebsd.org; Fri, 19 Sep 2003 17:30:19 +0200 Received: from p3e9baa86.dip.t-dialin.net ([62.155.170.134] helo=spotteswoode.dnsalias.org) by mx3.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.23 #2) id 1A0ND8-0004F3-J1 for freebsd-ipfw@freebsd.org; Fri, 19 Sep 2003 17:30:18 +0200 Received: (qmail 81397 invoked by uid 0); 19 Sep 2003 15:30:39 -0000 Date: 19 Sep 2003 17:30:17 +0200 Message-ID: From: "Clemens Fischer" To: "Clement Laforet" In-Reply-To: <20030917215628.44bd61f7.sheepkiller@cultdeadsheep.org> (Clement Laforet's message of "Wed, 17 Sep 2003 21:56:28 +0200") References: <20030916235808.X92689-100000@skywalker.rogness.net> <20030917175249.4df78d7d.sheepkiller@cultdeadsheep.org> <20030917215628.44bd61f7.sheepkiller@cultdeadsheep.org> User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org Subject: Re: Divert code X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 15:30:22 -0000 * Clement Laforet: > On 17 Sep 2003 21:52:40 +0200 > "Clemens Fischer" wrote: >> >> the supervise from djbs daemontools? how would this help? > > just to restart the daemons when it crashes ;-) you can catch > signals too, to remove divert rules. Iy quite dirty, but it works ;) naa, that's not in the least dirty. i've been a happy user of the daemontools for quite some time now, it's a very helpful kit. clemens From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 19 12:45:54 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB01316A4B3 for ; Fri, 19 Sep 2003 12:45:54 -0700 (PDT) Received: from cultdeadsheep.org (charon.cultdeadsheep.org [80.65.226.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0D0A43FBD for ; Fri, 19 Sep 2003 12:45:52 -0700 (PDT) (envelope-from sheepkiller@cultdeadsheep.org) Received: (qmail 59983 invoked by uid 85); 19 Sep 2003 21:45:51 +0200 Received: from sheepkiller@cultdeadsheep.org by goofy.cultdeadsheep.org by uid 82 with qmail-scanner-1.20rc2 ( Clear:RC:1:. Processed in 0.041328 secs); 19 Sep 2003 19:45:51 -0000 Received: from unknown (HELO lucifer.cultdeadsheep.org) (sheepkiller@cultdeadsheep.org@192.168.0.2) by goofy.cultdeadsheep.org with AES256-SHA encrypted SMTP; 19 Sep 2003 21:45:50 +0200 Date: Fri, 19 Sep 2003 21:45:45 +0200 From: Clement Laforet To: "Clemens Fischer" Message-Id: <20030919214545.6c18f204.sheepkiller@cultdeadsheep.org> In-Reply-To: References: <20030916235808.X92689-100000@skywalker.rogness.net> <20030917175249.4df78d7d.sheepkiller@cultdeadsheep.org> <20030917215628.44bd61f7.sheepkiller@cultdeadsheep.org> Organization: tH3 cUlt 0f tH3 d3@d sH33p X-Mailer: Sylpheed version 0.9.4 (GTK+ 1.2.10; i386-portbld-freebsd5.1) X-Face: ._cVVRDn#-2((lnfi^P7CoD4htI$4+#G/G)!w|,}H5yK~%(3-C.JlEYbOjJGFwJkt*7N^%z jYeu[;}]}F"3}l5R'l"X0HbvT^D\Q&%deCo)MayY`);TO Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: Divert code X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 19:45:54 -0000 On 19 Sep 2003 17:30:17 +0200 "Clemens Fischer" wrote: > naa, that's not in the least dirty. i've been a happy user of the > daemontools for quite some time now, it's a very helpful kit. It's not dirty to try to keep your daemon up. Like you, I use daemontools on critical daemon who need to be working all the time, like logs dispatchers, but we need to know why it dies. supervise is a tools, not a solution. Using daemontools is a good way to not be awaken during the night :-) In this particulary case, I probably make the daemon catch signals to crash "gracefully" and remove divert rule before dying. IDS are very helpful but they mustn't cause a downtime, IMHO. regards, clem From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 20 08:10:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67FFF16A4B3 for ; Sat, 20 Sep 2003 08:10:27 -0700 (PDT) Received: from lurza.secnetix.de (lurza.secnetix.de [195.143.231.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 075E743FDF for ; Sat, 20 Sep 2003 08:10:26 -0700 (PDT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (ixstoj@localhost [127.0.0.1]) by lurza.secnetix.de (8.12.9p1/8.12.8) with ESMTP id h8KFAOOC062602 for ; Sat, 20 Sep 2003 17:10:24 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.12.9p1/8.12.8/Submit) id h8KFAOxL062601; Sat, 20 Sep 2003 17:10:24 +0200 (CEST) Date: Sat, 20 Sep 2003 17:10:24 +0200 (CEST) Message-Id: <200309201510.h8KFAOxL062601@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.8-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: ssh/scp filtering, iplen problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Sep 2003 15:10:27 -0000 Hi, I would like to be able to differentiate between scp and interactive ssh for trafficshaping. In other words: No more than about 90% of the bandwidth should be available to scp transfers (along with FTP and HTTP, but that's easy), and the remaining 10% should be reserved for ssh and other interactive protocols. However, the obvious problem is that scp uses the ssh protocol, so it's on the same port. So my idea was to differentiate them by the size of the packets. The scp packets usually use the full MTU size (1500), while the interactive ssh packets are typically much smaller. According to ipfw(8), there is an "iplen" option for filtering -- but it filters on an exact size. What I need is a way to specify a rule that matches on, say, packets on port 22 that are larger than 1000 bytes. Is that possible with IPFW2? If not -- is there any other way to accomplish nwhat I want to achieve? Thanks a bunch in advance! Regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "If you aim the gun at your foot and pull the trigger, it's UNIX's job to ensure reliable delivery of the bullet to where you aimed the gun (in this case, Mr. Foot)." -- Terry Lambert, FreeBSD-hackers mailing list. From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 20 08:23:37 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDE2916A4B3 for ; Sat, 20 Sep 2003 08:23:37 -0700 (PDT) Received: from tenebras.com (blade.tenebras.com [66.92.188.175]) by mx1.FreeBSD.org (Postfix) with SMTP id 33A7D43FCB for ; Sat, 20 Sep 2003 08:23:37 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 21771 invoked from network); 20 Sep 2003 15:23:36 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 20 Sep 2003 15:23:36 -0000 Message-ID: <3F6C70F8.3060606@tenebras.com> Date: Sat, 20 Sep 2003 08:23:36 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: freebsd-ipfw@FreeBSD.ORG References: <200309201510.h8KFAOxL062601@lurza.secnetix.de> In-Reply-To: <200309201510.h8KFAOxL062601@lurza.secnetix.de> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ssh/scp filtering, iplen problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Sep 2003 15:23:37 -0000 Oliver Fromme wrote: > I would like to be able to differentiate between scp and > interactive ssh for trafficshaping. I suppose running multiple instances of sshd on different ports is out of the question? From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 20 08:53:46 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE71016A4B3 for ; Sat, 20 Sep 2003 08:53:46 -0700 (PDT) Received: from out003.verizon.net (out003pub.verizon.net [206.46.170.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFC9543FF5 for ; Sat, 20 Sep 2003 08:53:45 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([68.237.14.199]) by out003.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20030920155344.BKHM29617.out003.verizon.net@mac.com> for ; Sat, 20 Sep 2003 10:53:44 -0500 Message-ID: <3F6C7808.8070408@mac.com> Date: Sat, 20 Sep 2003 11:53:44 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20030916 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@FreeBSD.ORG References: <200309201510.h8KFAOxL062601@lurza.secnetix.de> In-Reply-To: <200309201510.h8KFAOxL062601@lurza.secnetix.de> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out003.verizon.net from [68.237.14.199] at Sat, 20 Sep 2003 10:53:44 -0500 Subject: Re: ssh/scp filtering, iplen problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Sep 2003 15:53:46 -0000 Oliver Fromme wrote: [ ... ] > If not -- is there any other way to accomplish nwhat I > want to achieve? The other poster's suggestion about using port 22 for interactive and some other port for scp copying is probably the easist. The next thought I had would be to instrument ssh and log a line indicating the amount of traffic consumed, perhaps via syslog to a central machine, if you wanted to monitor traffic for lots of machines rather than just one test server. A quick look at "ssh -v" suggests that ssh keeps a byte counter, and doing filecopy invokes ssh on the remote side with a command of "scp -t ..." (so that you could distinguish between interactive and copying modes within ssh). -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 20 09:18:09 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FA8D16A4B3 for ; Sat, 20 Sep 2003 09:18:09 -0700 (PDT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF9F743F85 for ; Sat, 20 Sep 2003 09:18:07 -0700 (PDT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 84EA55F103; Sat, 20 Sep 2003 18:20:19 +0200 (CEST) Date: Sat, 20 Sep 2003 18:20:19 +0200 From: Pawel Malachowski To: freebsd-ipfw@freebsd.org Message-ID: <20030920162019.GA30356@shellma.zin.lublin.pl> References: <200309201510.h8KFAOxL062601@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <200309201510.h8KFAOxL062601@lurza.secnetix.de> User-Agent: Mutt/1.4.1i cc: olli@lurza.secnetix.de Subject: Re: ssh/scp filtering, iplen problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Sep 2003 16:18:09 -0000 On Sat, Sep 20, 2003 at 05:10:24PM +0200, Oliver Fromme wrote: > According to ipfw(8), there is an "iplen" option for > filtering -- but it filters on an exact size. What I > need is a way to specify a rule that matches on, say, > packets on port 22 that are larger than 1000 bytes. > Is that possible with IPFW2? Yes, thanks to Luigi it is possible to use iplen ranges. -- Pawe³ Ma³achowski From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 20 11:34:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 404F916A4B3 for ; Sat, 20 Sep 2003 11:34:17 -0700 (PDT) Received: from lurza.secnetix.de (lurza.secnetix.de [195.143.231.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id D372643FE3 for ; Sat, 20 Sep 2003 11:34:15 -0700 (PDT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (zyrozo@localhost [127.0.0.1]) by lurza.secnetix.de (8.12.9p1/8.12.8) with ESMTP id h8KIYDOC069101 for ; Sat, 20 Sep 2003 20:34:14 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.12.9p1/8.12.8/Submit) id h8KIYDfg069100; Sat, 20 Sep 2003 20:34:13 +0200 (CEST) Date: Sat, 20 Sep 2003 20:34:13 +0200 (CEST) Message-Id: <200309201834.h8KIYDfg069100@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <3F6C7808.8070408@mac.com> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.8-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: ssh/scp filtering, iplen problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Sep 2003 18:34:17 -0000 Chuck Swiger wrote: > Oliver Fromme wrote: > [ ... ] > > If not -- is there any other way to accomplish nwhat I > > want to achieve? > > The other poster's suggestion about using port 22 for interactive and some other > port for scp copying is probably the easist. I can't do that, unfortunately. > The next thought I had would be to instrument ssh and log a line indicating the > amount of traffic consumed, perhaps via syslog to a central machine, if you > wanted to monitor traffic for lots of machines rather than just one test server. > > A quick look at "ssh -v" suggests that ssh keeps a byte counter, and doing > filecopy invokes ssh on the remote side with a command of "scp -t ..." (so that > you could distinguish between interactive and copying modes within ssh). I don't need it for monitoring or accounting, but for traffic-shaping (IPFW2 + dummynet). So any userland information like syslog or ssh byte counters son't help me at all, I'm afraid. Regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "FreeBSD is Yoda, Linux is Luke Skywalker" -- Daniel C. Sobral From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 20 11:42:24 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0863116A4B3 for ; Sat, 20 Sep 2003 11:42:24 -0700 (PDT) Received: from lurza.secnetix.de (lurza.secnetix.de [195.143.231.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C04D43FCB for ; Sat, 20 Sep 2003 11:42:22 -0700 (PDT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (vmzsxe@localhost [127.0.0.1]) by lurza.secnetix.de (8.12.9p1/8.12.8) with ESMTP id h8KIgLOC069298 for ; Sat, 20 Sep 2003 20:42:21 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.12.9p1/8.12.8/Submit) id h8KIgLNs069297; Sat, 20 Sep 2003 20:42:21 +0200 (CEST) Date: Sat, 20 Sep 2003 20:42:21 +0200 (CEST) Message-Id: <200309201842.h8KIgLNs069297@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <20030920162019.GA30356@shellma.zin.lublin.pl> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.8-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: ssh/scp filtering, iplen problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Sep 2003 18:42:24 -0000 Pawel Malachowski wrote: > On Sat, Sep 20, 2003 at 05:10:24PM +0200, Oliver Fromme wrote: > > According to ipfw(8), there is an "iplen" option for > > filtering -- but it filters on an exact size. What I > > need is a way to specify a rule that matches on, say, > > packets on port 22 that are larger than 1000 bytes. > > Is that possible with IPFW2? > > Yes, thanks to Luigi it is possible to use iplen ranges. Thanks, now I found it in 4-stable in the CVS repo. Unfortunately I'm running 4.8-Release, which doesn't have that feature. Well, 4.9 isn't too far in the future, so I will just wait a little bit. :-) Thanks for the hint, Pawel! Regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Unix gives you just enough rope to hang yourself -- and then a couple of more feet, just to be sure." -- Eric Allman From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 20 12:14:33 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B10DD16A4B3 for ; Sat, 20 Sep 2003 12:14:33 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 002AD43FB1 for ; Sat, 20 Sep 2003 12:14:32 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.3) with ESMTP id h8KJEWsd066803 for ; Sat, 20 Sep 2003 12:14:32 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id h8KJEW6q066802 for freebsd-ipfw@freebsd.org; Sat, 20 Sep 2003 12:14:32 -0700 (PDT) (envelope-from rizzo) Date: Sat, 20 Sep 2003 12:14:32 -0700 From: Luigi Rizzo To: freebsd-ipfw@freebsd.org Message-ID: <20030920121432.A66539@xorpc.icir.org> References: <20030920162019.GA30356@shellma.zin.lublin.pl> <200309201842.h8KIgLNs069297@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5.1i In-Reply-To: <200309201842.h8KIgLNs069297@lurza.secnetix.de>; from olli@lurza.secnetix.de on Sat, Sep 20, 2003 at 08:42:21PM +0200 Subject: Re: ssh/scp filtering, iplen problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Sep 2003 19:14:33 -0000 On Sat, Sep 20, 2003 at 08:42:21PM +0200, Oliver Fromme wrote: > Pawel Malachowski wrote: > > On Sat, Sep 20, 2003 at 05:10:24PM +0200, Oliver Fromme wrote: > > > According to ipfw(8), there is an "iplen" option for > > > filtering -- but it filters on an exact size. What I > > > need is a way to specify a rule that matches on, say, > > > packets on port 22 that are larger than 1000 bytes. > > > Is that possible with IPFW2? > > > > Yes, thanks to Luigi it is possible to use iplen ranges. > > Thanks, now I found it in 4-stable in the CVS repo. > Unfortunately I'm running 4.8-Release, which doesn't the changes only involve sys/netinet/ip_fw2.[ch] sbin/ipfw/ipfw2.c are completely backward compatible. cheers luigi > have that feature. Well, 4.9 isn't too far in the > future, so I will just wait a little bit. :-) > > Thanks for the hint, Pawel! > > Regards > Oliver > > -- > Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München > Any opinions expressed in this message may be personal to the author > and may not necessarily reflect the opinions of secnetix in any way. > > "Unix gives you just enough rope to hang yourself -- > and then a couple of more feet, just to be sure." > -- Eric Allman > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 20 12:35:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE28B16A4B3 for ; Sat, 20 Sep 2003 12:35:26 -0700 (PDT) Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id E320643FDF for ; Sat, 20 Sep 2003 12:35:25 -0700 (PDT) (envelope-from louie@whizzo.transsys.com) Received: from whizzo.transsys.com (#6@localhost [127.0.0.1]) by whizzo.transsys.com (8.12.9/8.12.9) with ESMTP id h8KJZPYe096995; Sat, 20 Sep 2003 15:35:25 -0400 (EDT) (envelope-from louie@whizzo.transsys.com) Message-Id: <200309201935.h8KJZPYe096995@whizzo.transsys.com> X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: Michael Sierchio X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg From: "Louis A. Mamakos" References: <200309201510.h8KFAOxL062601@lurza.secnetix.de> <3F6C70F8.3060606@tenebras.com> In-reply-to: Your message of "Sat, 20 Sep 2003 08:23:36 PDT." <3F6C70F8.3060606@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 20 Sep 2003 15:35:25 -0400 Sender: louie@TransSys.COM cc: freebsd-ipfw@freebsd.org Subject: Re: ssh/scp filtering, iplen problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Sep 2003 19:35:27 -0000 > Oliver Fromme wrote: > > > I would like to be able to differentiate between scp and > > interactive ssh for trafficshaping. > > I suppose running multiple instances of sshd on different ports > is out of the question? It might be nice if ssh and sshd set the appropriate DSCP bits in the IP header to distinguish between interactive use vs. bulk file transfers. You wouldn't then have to try to "second guess" what the nature of the traffic is. louie