From owner-freebsd-ipfw@FreeBSD.ORG  Sun Nov 30 04:26:38 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9CBC516A4CF
	for <freebsd-ipfw@freebsd.org>; Sun, 30 Nov 2003 04:26:38 -0800 (PST)
Received: from spf13.us4.outblaze.com (205-158-62-67.outblaze.com
	[205.158.62.67])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6DE6843FDD
	for <freebsd-ipfw@freebsd.org>; Sun, 30 Nov 2003 04:26:33 -0800 (PST)
	(envelope-from ivo@bsdmail.org)
Received: from 205-158-62-68.outblaze.com (205-158-62-68.outblaze.com
	[205.158.62.68])
	by spf13.us4.outblaze.com (Postfix) with QMQP id 9F5821801D6E
	for <freebsd-ipfw@freebsd.org>; Sun, 30 Nov 2003 12:26:31 +0000 (GMT)
Received: (qmail 99824 invoked from network); 30 Nov 2003 12:26:31 -0000
Received: from unknown (HELO ws5-2.us4.outblaze.com) (205.158.62.133)
  by 205-158-62-153.outblaze.com with SMTP; 30 Nov 2003 12:26:31 -0000
Received: (qmail 7869 invoked by uid 1001); 30 Nov 2003 12:26:31 -0000
Message-ID: <20031130122631.7868.qmail@bsdmail.com>
Content-Type: multipart/mixed; boundary="----------=_1070195191-6845-0"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-Mailer: MIME-tools 5.41 (Entity 5.404)
Received: from [62.73.96.164] by ws5-3.us4.outblaze.com with http for
    ivo@bsdmail.org; Sun, 30 Nov 2003 14:26:31 +0200
From: "Ivo Vachkov" <ivo@bsdmail.org>
To: freebsd-ipfw@freebsd.org
Date: Sun, 30 Nov 2003 14:26:31 +0200
X-Originating-Ip: 62.73.96.164
X-Originating-Server: ws5-3.us4.outblaze.com
cc: freebsd-net@freebsd.org
Subject: 
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Nov 2003 12:26:38 -0000

This is a multi-part message in MIME format...

------------=_1070195191-6845-0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Hi all,

I've been trying to write some code using divert(4) sockets, but i meet the following difficulties:
    - when i get diverted packet it has both source and destination IP addresses the same. The attached code shows:

    192.168.0.2 -> 192.168.0.2
    getting 84 bytes, real: 84

and the way I run it is (on 192.168.0.2):

    ipfw add 100 divert 8670 ip from any to 192.168.0.1
    burstd

then on 192.168.0.2 I issue "ping 192.168.0.1"

    - the manual says this happens with recvfrom()/sendto(), but recv() is mentioned to be same as recvfrom() and read()/write() sometimes fail.

After digging some kernel code I've found that around line 167 in ip_divert.c we have:

	/*
	 * Record receive interface address, if any.
	 * But only for incoming packets.
	 */
	divsrc.sin_addr.s_addr = 0;
	if (incoming) {
		struct ifaddr *ifa;

		/* Sanity check */
		KASSERT((m->m_flags & M_PKTHDR), ("%s: !PKTHDR", __FUNCTION__));

		/* Find IP address for receive interface */
		TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) {
			if (ifa->ifa_addr == NULL)
				continue;
			if (ifa->ifa_addr->sa_family != AF_INET)
				continue;
			divsrc.sin_addr =
			    ((struct sockaddr_in *) ifa->ifa_addr)->sin_addr;
			break;
		}
	}

which (as I think) changes the address of diverted packet. What is the reason for that and are there any workarounds to get real source and destination IP addresses from a diverted packet. I need both because I try to make connection tracking based on src<->dst .

Any help with that is appretiated. Any divert code welcome. I've looked through natd.c and it was helpfull.

    Ivo Vachkov

P.S. Excuse my:
    - English
    - long pastes
    - (sometimes) lack of kernel code understanding
-- 
_______________________________________________
Get your free email from http://mymail.bsdmail.com

Powered by Outblaze

------------=_1070195191-6845-0
Content-Type: application/octet-stream; name="Makefile"
Content-Disposition: attachment; filename="Makefile"
Content-Transfer-Encoding: base64

Q0MJPQljYwpDRkxBR1MJPQktZyAtV2FsbCAtV3BvaW50ZXItYXJpdGgKTElC
Uwk9CgpTUkMJPQlidXJzdGQuYwpPQkoJPQkKUFJPRwk9CWJ1cnN0ZAoKYWxs
OiQoU1JDKQoJJChDQykgJChDRkxBR1MpIC1jICouYwoJJChDQykgJChDRkxB
R1MpIC1vICQoUFJPRykgJChTUkMpICQoT0JKKSAkKExJQlMpCgpjbGVhbjoK
CXJtIC1mICQoUFJPRykgKi5jb3JlICoubyBldGMvKgo=

------------=_1070195191-6845-0
Content-Type: application/octet-stream; name="burstd.h"
Content-Disposition: attachment; filename="burstd.h"
Content-Transfer-Encoding: base64

I2luY2x1ZGUgPHN5cy90eXBlcy5oPgojaW5jbHVkZSA8c3lzL3NvY2tldC5o
PgojaW5jbHVkZSA8c3lzL3N5c2N0bC5oPgojaW5jbHVkZSA8c3lzL3RpbWUu
aD4KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4KI2luY2x1ZGUgPG5ldGluZXQv
aW5fc3lzdG0uaD4KI2luY2x1ZGUgPG5ldGluZXQvaXAuaD4KI2luY2x1ZGUg
PG1hY2hpbmUvaW5fY2tzdW0uaD4KI2luY2x1ZGUgPG5ldGluZXQvdGNwLmg+
CiNpbmNsdWRlIDxuZXRpbmV0L3VkcC5oPgojaW5jbHVkZSA8bmV0aW5ldC9p
cF9pY21wLmg+CiNpbmNsdWRlIDxuZXQvaWYuaD4KI2luY2x1ZGUgPG5ldC9p
Zl9kbC5oPgojaW5jbHVkZSA8bmV0L3JvdXRlLmg+CiNpbmNsdWRlIDxhcnBh
L2luZXQuaD4KI2luY2x1ZGUgPGFsaWFzLmg+CiNpbmNsdWRlIDxjdHlwZS5o
PgojaW5jbHVkZSA8ZXJyLmg+CiNpbmNsdWRlIDxlcnJuby5oPgojaW5jbHVk
ZSA8bmV0ZGIuaD4KI2luY2x1ZGUgPHNpZ25hbC5oPgojaW5jbHVkZSA8c3Rk
aW8uaD4KI2luY2x1ZGUgPHN0ZGxpYi5oPgojaW5jbHVkZSA8c3RyaW5nLmg+
CiNpbmNsdWRlIDxzeXNsb2cuaD4KI2luY2x1ZGUgPHVuaXN0ZC5oPgoKLy8g
I2luY2x1ZGUgInF1ZXVlLmgiCgojZGVmaW5lIENPTkYJCSJidXJzdGQuY29u
ZiIKCi8qIENvbm5lY3Rpb24gdHlwZTsgYnVyc3RpbmcgKi8KdHlwZWRlZiBz
dHJ1Y3QgX2Zsb3cKewoJc3RydWN0IGluX2FkZHIgCXNyY19hZGRyOwoJc3Ry
dWN0IGluX2FkZHIJZHN0X2FkZHI7Cglsb25nIGxvbmcJYnl0ZXM7Cglsb25n
IGxvbmcJbGFzdDsKCWludAkJYWxpdmU7CglpbnQgCQl1c2VkOwp9Q09OTkVD
VElPTjsKCnR5cGVkZWYgc3RydWN0IF9ub2RlCnsKCXN0cnVjdCBfbm9kZSAJ
Km5leHQ7CglzdHJ1Y3QgX2Zsb3cJKmRhdGE7Cn1DT05OX0xJU1Q7Cgpsb25n
IGxvbmcgCWxpbWl0LCByYXRlOwoKLyogU29tZSBmdW5jdGlvbnMgKi8KCi8q
IHNpZ25hbC5jICovCnZvaWQgc2lnX2Fscm1faG5kKGludCBzaWcpOwovKiBp
bml0LmMgKi8Kdm9pZCBzZXRfcmF0ZV9saW1pdCgpOwovKiBwYXJlbnQuYyAq
LwppbnQgc2VhcmNoX2Nvbm4oQ09OTkVDVElPTiBjb25zW10sIHN0cnVjdCBp
bl9hZGRyIHNhZGRyLCBzdHJ1Y3QgaW5fYWRkciBkYWRkcik7CmludCBhZGRf
Y29ubihDT05ORUNUSU9OIGNvbnNbXSwgQ09OTkVDVElPTiBzX2Nvbm4pOwo=

------------=_1070195191-6845-0
Content-Type: application/octet-stream; name="burstd.c"
Content-Disposition: attachment; filename="burstd.c"
Content-Transfer-Encoding: base64

I2luY2x1ZGUgImJ1cnN0ZC5oIgoKaW50IG1haW4oaW50IGFyZ2MsIGNoYXIg
Kiphcmd2KQp7CglpbnQgCQkJZGl2SU87CglmZF9zZXQJCQlyZWFkbWFzazsK
CXN0cnVjdCBzb2NrYWRkcl9pbiAJc2E7CglpbnQgCQkJYnl0ZXMsIG9sZGJ5
dGVzLCBhZGRyU2l6ZTsKCXN0cnVjdCBpcCoJCWlwOwoJdm9pZCoJCQlidWZm
OwoJCgoJYnVmZiA9ICh2b2lkICopbWFsbG9jKElQX01BWFBBQ0tFVCk7Cglt
ZW1zZXQoKHZvaWQgKilidWZmLCAwLCBJUF9NQVhQQUNLRVQpOwoJCglpZigo
ZGl2SU8gPSBzb2NrZXQoUEZfSU5FVCwgU09DS19SQVcsIElQUFJPVE9fRElW
RVJUKSkgPT0gLTEpCgl7CgkJcGVycm9yKCJzb2NrZXQiKTsKCQlleGl0KC0x
KTsKCX0KCglzYS5zaW5fZmFtaWx5ID0gQUZfSU5FVDsKCXNhLnNpbl9hZGRy
LnNfYWRkciA9IElOQUREUl9BTlk7CglzYS5zaW5fcG9ydCA9IGh0b25zKDg2
NzApOwoJaWYoYmluZChkaXZJTywgKHN0cnVjdCBzb2NrYWRkciopJnNhLCBz
aXplb2Yoc3RydWN0IHNvY2thZGRyKSkgPT0gLTEpCgl7CgkJcGVycm9yKCJi
aW5kIik7CgkJZXhpdCgtMSk7Cgl9CgoJRkRfWkVSTygmcmVhZG1hc2spOwoJ
RkRfU0VUKGRpdklPLCAmcmVhZG1hc2spOwoJCgl3aGlsZSgxKQoJewoJCWlm
KHNlbGVjdChnZXRkdGFibGVzaXplKCkgKyAxLCAmcmVhZG1hc2ssIE5VTEws
IE5VTEwsIE5VTEwpID09IC0xKQoJCXsKCQkJcGVycm9yKCJzZWxlY3QiKTsK
CQkJZXhpdCgtMSk7CgkJfQoJCWlmKEZEX0lTU0VUKGRpdklPLCAmcmVhZG1h
c2spKQoJCXsKCQkJYWRkclNpemUgPSBzaXplb2Yoc2EpOwoJCQlpZigob2xk
Ynl0ZXMgPSByZWN2ZnJvbShkaXZJTywgYnVmZiwgSVBfTUFYUEFDS0VULCAw
LCAoc3RydWN0IHNvY2thZGRyKikgJnNhLCAmYWRkclNpemUpKSA9PSAtMSkK
CQkJewoJCQkJcGVycm9yKCJyZWN2ZnJvbSIpOwoJCQkJZXhpdCgtMSk7CgkJ
CX0KCQkKCQkJaXAgPSAoc3RydWN0IGlwKikgYnVmZjsKCQkJcHJpbnRmKCIl
cyAtPiAlc1xuIiwgaW5ldF9udG9hKGlwLT5pcF9zcmMpLCBpbmV0X250b2Eo
aXAtPmlwX2RzdCkpOwoJCQlwcmludGYoImdldHRpbmcgJWQgYnl0ZXMsIHJl
YWw6ICVkXG4iLCBvbGRieXRlcywgbnRvaHMoaXAtPmlwX2xlbikpOwoJCQlw
cmludGYoInNhLnNpbl9hZGRyLnNfYWRkciA9ICVzXG4iLCBpbmV0X250b2Eo
c2Euc2luX2FkZHIpKTsKCQkJCgkJCWlmKChieXRlcyA9IHNlbmR0byhkaXZJ
TywgYnVmZiwgb2xkYnl0ZXMsIDAsIChzdHJ1Y3Qgc29ja2FkZHIqKSAmc2Es
IGFkZHJTaXplKSkgIT0gb2xkYnl0ZXMpCgkJCXsKCQkJCXByaW50ZigiRGlm
ZmVyZW50IHJlY2lldmVkL3NlbnQgdmFsdWVzOiAlZCA8LT4gJWRcbiIsIG9s
ZGJ5dGVzLCBieXRlcyk7CgkJCQlwZXJyb3IoInNlbmR0byIpOwoJCQkJZXhp
dCgtMSk7CgkJCX0KCQl9Cgl9CglyZXR1cm4gMDsKfQo=

------------=_1070195191-6845-0--

From owner-freebsd-ipfw@FreeBSD.ORG  Sun Nov 30 08:31:04 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id A731716A4DE; Sun, 30 Nov 2003 08:31:04 -0800 (PST)
Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 92A5743FB1; Sun, 30 Nov 2003 08:31:03 -0800 (PST)
	(envelope-from louie@whizzo.transsys.com)
Received: from whizzo.transsys.com (#6@localhost [127.0.0.1])
	by whizzo.transsys.com (8.12.9p2/8.12.9) with ESMTP id hAUGUoIg060968;
	Sun, 30 Nov 2003 11:30:50 -0500 (EST)
	(envelope-from louie@whizzo.transsys.com)
Message-Id: <200311301630.hAUGUoIg060968@whizzo.transsys.com>
X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4
To: "Ivo Vachkov" <ivo@bsdmail.org>
X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg
From: "Louis A. Mamakos" <louie@TransSys.COM>
References: <20031130122631.7868.qmail@bsdmail.com> 
In-reply-to: Your message of "Sun, 30 Nov 2003 14:26:31 +0200."
             <20031130122631.7868.qmail@bsdmail.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sun, 30 Nov 2003 11:30:50 -0500
Sender: louie@TransSys.COM
cc: freebsd-ipfw@freebsd.org
cc: freebsd-net@freebsd.org
Subject: Re: 
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Nov 2003 16:31:04 -0000


The problem is in your test program; you're calling inet_ntoa() twice
in your printf() invocation, and the second call to inet_ntoa() overwrites
the static buffer that's returned.

louie

From owner-freebsd-ipfw@FreeBSD.ORG  Sun Nov 30 14:42:22 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5E5B616A4CE
	for <ipfw@freebsd.org>; Sun, 30 Nov 2003 14:42:22 -0800 (PST)
Received: from cisovanet.pl (toudi.cisovanet.pl [212.160.158.193])
	by mx1.FreeBSD.org (Postfix) with SMTP id 5CE7A43FA3
	for <ipfw@freebsd.org>; Sun, 30 Nov 2003 14:42:19 -0800 (PST)
	(envelope-from robert@toudi.cisovanet.pl)
Received: (qmail 97999 invoked from network); 30 Nov 2003 22:42:20 -0000
Received: from unknown (HELO toudi.cisovanet.pl) (212.160.158.193)
  by 0 with SMTP; 30 Nov 2003 22:42:20 -0000
Received: (from robert@localhost)
	by toudi.cisovanet.pl (8.12.6/8.12.6/Submit) id hAUMgJDT097994
	for ipfw@freebsd.org; Sun, 30 Nov 2003 23:42:19 +0100 (CET)
Date: Sun, 30 Nov 2003 23:42:19 +0100
From: Robert Krasicki <robert@toudi.cisovanet.pl>
To: ipfw@freebsd.org
Message-ID: <20031130224219.GA96501@toudi.cisovanet.pl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
Subject: Dummynet problem
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Nov 2003 22:42:22 -0000

Hello,

My machine stopped responding while working
on pipes.

Here's the info I got.

# /var/log/messages
Nov 30 21:30:58 devel stunnel[670]: pop3s connected from 80.56.52.238:1859
Nov 30 21:31:23 devel stunnel[670]: Connection closed: 8013 bytes sent to SSL, 126 bytes sent to socket
Nov 30 21:35:16 devel kernel: dummynet: ++ ref to pipe 11 from fs 1
Nov 30 21:35:16 devel kernel: dummynet: ++ ref to pipe 11 from fs 3
Nov 30 21:35:16 devel kernel: dummynet: ++ ref to pipe 11 from fs 5
Nov 30 21:35:16 devel kernel: dummynet: ++ ref to pipe 11 from fs 7
Nov 30 21:35:16 devel kernel: dummynet: ++ ref to pipe 11 from fs 9
Nov 30 21:35:16 devel kernel: dummynet: ++ ref to pipe 11 from fs 11
Nov 30 21:35:16 devel kernel: dummynet: ++ ref to pipe 11 from fs 15
Nov 30 21:35:45 devel stunnel[670]: pop3s connected from 80.56.52.238:1892
Nov 30 21:35:52 devel stunnel[670]: Connection closed: 2247 bytes sent to SSL, 62 bytes sent to socket
Nov 30 22:17:12 devel syslogd: kernel boot file is /boot/kernel/kernel
Nov 30 22:17:12 devel kernel: Copyright (c) 1992-2003 The FreeBSD Project.
Nov 30 22:17:12 devel kernel: Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
Nov 30 22:17:12 devel kernel: The Regents of the University of California. All rights reserved.
....
 
Because of I had no direct access to the machine I had to call and ask for
rebooting it (As I can see, reset button was used)

The error occured when I was flushing pipes. 
I'm sure that there were 2 rules set, both allowing access. 
( I just wanted to make sure, that some traffic is 
controlled by ipfw).  

Before, few rules used queues & pipes, but all of them have been
deleted successfuly (so I assume that I could safely flush the pipes ?)

Maybe ony of you had the same problem or maybe I missed with ipfw configuration?

Thanks!

Regards,
Robert

More detailed information:

System information:
FreeBSD devel.foo.com 5.1-RELEASE-p10 FreeBSD 5.1-RELEASE-p10 #1: Wed Oct 22 22:32:11 CEST 2003

Kernel (firewall) options:
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=200
options         IPDIVERT
options         DUMMYNET
options         HZ=1000
options         IPFIREWALL_DEFAULT_TO_ACCEPT

sysctls:
net.link.ether.bridge_ipfw: 1
net.link.ether.bridge_ipfw_drop: 0
net.link.ether.bridge_ipfw_collisions: 0
net.link.ether.ipfw: 0
net.inet.ip.fw.one_pass: 1
(machine is acting as a bridge)

Machine was not overloaded at that moment.

Dmesg:
Copyright (c) 1992-2003 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD 5.1-RELEASE-p10 #1: Wed Oct 22 22:32:11 CEST 2003
    robert@devel.foo.com:/usr/obj/usr/src/sys/TUNED
Preloaded elf kernel "/boot/kernel/kernel" at 0xc04d9000.
Preloaded elf module "/boot/kernel/acpi.ko" at 0xc04d9278.
Timecounter "i8254"  frequency 1193182 Hz
Timecounter "TSC"  frequency 2400099508 Hz
CPU: Intel(R) Pentium(R) 4 CPU 2.40GHz (2400.10-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0xf27  Stepping = 7
  
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
real memory  = 1073725440 (1023 MB)
avail memory = 1037737984 (989 MB)
Pentium Pro MTRR support enabled
altq: major number is 96
npx0: <math processor> on motherboard
npx0: INT 16 interface
acpi0: <ASUS   P4G8X   > on motherboard
pcibios: BIOS version 2.10
Using $PIR table, 11 entries at 0xc00f2320
acpi0: power button is handled as a fixed feature programming model.
Timecounter "ACPI-fast"  frequency 3579545 Hz
acpi_timer0: <24-bit timer at 3.579545MHz> port 0xe408-0xe40b on acpi0
acpi_cpu0: <CPU> on acpi0
acpi_cpu1: <CPU> on acpi0
acpi_button0: <Power Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
agp0: <Intel Generic host to PCI bridge> mem 0xf0000000-0xf3ffffff at device 0.0 on pci0
pcib1: <ACPI PCI-PCI bridge> mem 0xe8000000-0xebffffff at device 1.0 on pci0
pci1: <ACPI PCI bus> on pcib1
pci1: <display, VGA> at device 0.0 (no driver attached)
pci0: <serial bus, USB> at device 29.0 (no driver attached)
pci0: <serial bus, USB> at device 29.1 (no driver attached)
pci0: <serial bus, USB> at device 29.2 (no driver attached)
pci0: <serial bus, USB> at device 29.7 (no driver attached)
pcib2: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci2: <ACPI PCI bus> on pcib2
ed0: <NE2000 PCI Ethernet (RealTek 8029)> port 0xa800-0xa81f at device 2.0 on pci2
pcib2: slot 2 INTA is routed to irq 10
ed0: address 00:c0:26:ef:3a:d4, type NE2000 (16 bit)
pci2: <serial bus, FireWire> at device 3.0 (no driver attached)
pci2: <mass storage, RAID> at device 4.0 (no driver attached)
bge0: <Broadcom BCM5702X Gigabit Ethernet, ASIC rev. 0x1002> mem 0xdc800000-0xdc80ffff at device 5.0 on pci2
pcib2: slot 5 INTA is routed to irq 9
bge0: Ethernet address: 00:0c:6e:0f:7a:6b
miibus0: <MII bus> on bge0
brgphy0: <BCM5703 10/100/1000baseTX PHY> on miibus0
brgphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX, 1000baseTX-FDX, auto
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel ICH4 UDMA100 controller> port 0xf000-0xf00f,0-0x3,0-0x7,0-0x3,0-0x7 irq 9 at device 31.1 on pci0
ata0: at 0x1f0 irq 14 on atapci0
ata1: at 0x170 irq 15 on atapci0
pci0: <multimedia, audio> at device 31.5 (no driver attached)
fdc0: <Enhanced floppy controller (i82077, NE72065 or clone)> port 0x3f7,0x3f2-0x3f5 irq 6 drq 2 on acpi0
fdc0: FIFO enabled, 8 bytes threshold
ppc0 port 0x778-0x77b,0x378-0x37f irq 7 drq 3 on acpi0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/16 bytes threshold
ppbus0: <Parallel port bus> on ppc0
plip0: <PLIP network interface> on ppbus0
ppi0: <Parallel I/O> on ppbus0
sio0 port 0x3f8-0x3ff irq 4 on acpi0
sio0: type 16550A
sio1 port 0x2f8-0x2ff irq 3 on acpi0
sio1: type 16550A
atkbdc0: <Keyboard controller (i8042)> port 0x64,0x60 irq 1 on acpi0
atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
kbd0 at atkbd0
pmtimer0 on isa0
orm0: <Option ROMs> at iomem 0xd0000-0xd3fff,0xc0000-0xccfff on isa0
sc0: <System console> on isa0
sc0: VGA <16 virtual consoles, flags=0x200>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Timecounters tick every 1.000 msec
DUMMYNET initialized (011031)
ipfw2 initialized, divert enabled, rule-based forwarding enabled, default to accept, logging limited to 200 
packets/entry by default
BBRIDGE 020214 loaded
IPsec: Initialized Security Association Processing.
ad0: 76319MB <ST380011A> [155061/16/63] at ata0-master UDMA100
ad1: 114473MB <ST3120022A> [232581/16/63] at ata0-slave UDMA100
ast0: TAPE <Seagate STT3401A> at ata1-slave PIO3
Mounting root from ufs:/dev/ad0s1a
WARNING: /usr was not properly dismounted
WARNING: /usr was not properly dismounted
WARNING: /share was not properly dismounted

From owner-freebsd-ipfw@FreeBSD.ORG  Mon Dec  1 11:02:41 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 846B916A4CE
	for <ipfw@freebsd.org>; Mon,  1 Dec 2003 11:02:41 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6058D43FCB
	for <ipfw@freebsd.org>; Mon,  1 Dec 2003 11:01:54 -0800 (PST)
	(envelope-from owner-bugmaster@freebsd.org)
Received: from freefall.freebsd.org (peter@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id hB1J1pFY016142
	for <ipfw@freebsd.org>; Mon, 1 Dec 2003 11:01:51 -0800 (PST)
	(envelope-from owner-bugmaster@freebsd.org)
Received: (from peter@localhost)
	by freefall.freebsd.org (8.12.9/8.12.9/Submit) id hB1J1otU016136
	for ipfw@freebsd.org; Mon, 1 Dec 2003 11:01:50 -0800 (PST)
	(envelope-from owner-bugmaster@freebsd.org)
Date: Mon, 1 Dec 2003 11:01:50 -0800 (PST)
Message-Id: <200312011901.hB1J1otU016136@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: peter set sender to
	owner-bugmaster@freebsd.org using -f
From: FreeBSD bugmaster <bugmaster@freebsd.org>
To: ipfw@FreeBSD.org
Subject: Current problem reports assigned to you
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Dec 2003 19:02:41 -0000

Current FreeBSD problem reports
Critical problems

S  Submitted   Tracker     Resp.       Description
-------------------------------------------------------------------------------
o [2003/03/23] kern/50216  ipfw        kernel panic on 5.0-current when use ipfw

1 problem total.

Serious problems

S  Submitted   Tracker     Resp.       Description
-------------------------------------------------------------------------------
o [2002/12/27] kern/46557  ipfw        ipfw pipe show fails with lots of queues
o [2003/04/22] kern/51274  ipfw        ipfw2 create dynamic rules with parent nu
f [2003/04/24] kern/51341  ipfw        ipfw rule 'deny icmp from any to any icmp

3 problems total.

Non-critical problems

S  Submitted   Tracker     Resp.       Description
-------------------------------------------------------------------------------
a [2001/04/13] kern/26534  ipfw        Add an option to ipfw to log gid/uid of w
o [2002/12/07] kern/46080  ipfw        [PATCH] logamount in ipfw2 does not defau
o [2002/12/10] kern/46159  ipfw        ipfw dynamic rules lifetime feature
o [2002/12/27] kern/46564  ipfw        IPFilter and IPFW processing order is not
o [2003/02/11] kern/48172  ipfw        ipfw does not log size and flags
o [2003/03/10] kern/49086  ipfw        [patch] Make ipfw2 log to different syslo
o [2003/03/12] bin/49959   ipfw        ipfw tee port rule skips parsing next rul
o [2003/04/09] bin/50749   ipfw        ipfw2 incorrectly parses ports and port r
o [2003/08/25] kern/55984  ipfw        [patch] time based firewalling support fo

9 problems total.

From owner-freebsd-ipfw@FreeBSD.ORG  Mon Dec  1 16:03:35 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2B35C16A4CE
	for <freebsd-ipfw@freebsd.org>; Mon,  1 Dec 2003 16:03:35 -0800 (PST)
Received: from tyberius.abccom.bc.ca (tyberius.abccom.bc.ca [204.239.167.97])
	by mx1.FreeBSD.org (Postfix) with SMTP id CBF2143F75
	for <freebsd-ipfw@freebsd.org>; Mon,  1 Dec 2003 16:03:33 -0800 (PST)
	(envelope-from jon@abccom.bc.ca)
Received: (qmail 51033 invoked by uid 1000); 2 Dec 2003 00:03:55 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 2 Dec 2003 00:03:55 -0000
Date: Mon, 1 Dec 2003 16:03:55 -0800 (PST)
From: Jon Simola <jon@abccom.bc.ca>
To: freebsd-ipfw@freebsd.org
In-Reply-To: <3A04E74D-225C-11D8-98F0-003065F1EE08@edgefocus.com>
Message-ID: <20031201154231.M38868-100000@tyberius.abccom.bc.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: MAN page example vs. this?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2003 00:03:35 -0000

On Sat, 29 Nov 2003, Sean Hafeez wrote:

> the man pages has this example:
>
> ipfw add pipe 1 ip from 192.168.2.0/24 to any out
> ipfw add pipe 2 ip from any to 192.168.2.0/24 in
> ipfw pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes
> ipfw pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes
>
> the man page say this does:
>
> ...is limiting the outbound traffic on a net with per-host limits,
> rather than per-network limits...
>
> my first question is this just outbound? seem to me that pipe 1 is the
> outbound limit and pipe 2 is an inbound limit? so this is a symmetric
> link? am i reading this wrong?

You're right, there are 2 queues defined, one for each direction.

> second, the mask only applies to the last octet of the ip address (ff) -
> correct? so each host both out bound user and is upstream target (i.e.
> www.cnn.com)?

The host 192.168.2.3 would be limited to sending 200Kbits/sec and
receiving 200Kbits/sec total, without concern of what other IP's it is
talking to.

> now here is what i got from somewhere else. i am limiting each host (ip
> address) to 200kbits/s. rl1 is the internal interface to the users.
>
> ipfw add pipe 1 ip from any to any in recv rl1
> ipfw add pipe 2 ip from any to any out xmit rl1
> ipfw pipe 1 config mask src-ip 0xffffffff bw 200kbits/s
> ipfw pipe 2 config mask dst-ip 0xffffffff bw 200kbits/s
>
> are these 2 examples functionally the same? if not what is the
> difference?

You're forcing the interface. Be careful, as packets may flow through in
ways you don't expect.

> also in the first example, if the network was changed to
> 192.168.0.0/23, the mask would be 0x000003ff (255.255.254.0) ? it is a
> reverse mask like a cisco, right?

That mask has nothing to do with a network mask. It's a simple bitmask,
used to pick out the bits in the src/dst ip/port combinations that are
used to hash the packets into a unique bucket.

If you used "mask src-ip 0x00000001" you would be sorting the packets into
buckets (and queues) based on whether the source IP's last octet was even
or odd.

My setup looks like (for doing traffic usage on a /24):

ipfw pipe 1 config mask src-ip 0xffffffff buckets 512
ipfw add 100 pipe 1 ip src-ip 192.168.0.0/24
ipfw pipe 2 config mask dst-ip 0xffffffff buckets 512
ipfw add 101 pipe 2 ip dst-ip 192.168.0.0/24

If I was curious about how much traffic each of my /28's was doing:

ipfw pipe 3 config mask src-ip 0xfffffff0 buckets 512
ipfw add 105 pipe 3 ip src-ip 192.168.4.0/24
ipfw pipe 4 config mask dst-ip 0xfffffff0 buckets 512
ipfw add 106 pipe 4 ip dst-ip 192.168.4.0/24

---
Jon Simola <jon@abccom.bc.ca> | "In the near future - corporate networks
    Systems Administrator     |  reach out to the stars, electrons and light
     ABC  Communications      |  flow throughout the universe." -- GITS

From owner-freebsd-ipfw@FreeBSD.ORG  Tue Dec  2 09:29:04 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3B93816A4CE; Tue,  2 Dec 2003 09:29:04 -0800 (PST)
Received: from octo.sytes.net (h24-66-40-188.ed.shawcable.net [24.66.40.188])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 9587743FD7; Tue,  2 Dec 2003 09:28:59 -0800 (PST)
	(envelope-from otacon@octo.sytes.net)
Received: from octo.sytes.net (localhost [127.0.0.1])
	by octo.sytes.net (8.12.10/8.12.10) with ESMTP id hB2HSrOG074423;
	Tue, 2 Dec 2003 10:28:54 -0700 (MST)
	(envelope-from otacon@octo.sytes.net)
Received: from localhost (localhost [[UNIX: localhost]])
	by octo.sytes.net (8.12.10/8.12.10/Submit) id hB2HSrJL074422;
	Tue, 2 Dec 2003 10:28:53 -0700 (MST)
	(envelope-from otacon)
From: Dr Otacon <otacon@octo.sytes.net>
Organization: Skimask Ninja Productions
To: freebsd-ipfw@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG
Date: Tue, 2 Dec 2003 10:28:52 -0700
User-Agent: KMail/1.5.4
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200312021028.52517.otacon@octo.sytes.net>
Subject: tcpdump will not compile with ability to decrypt ESP encapsulated
	packets.
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: otacon@octo.sytes.net
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2003 17:29:04 -0000

I'm trying to tcpdump ESP encapsulated packets with tcpdump using:

    tcpdump -w tcpdump.log -E blowfish-cbc:secret esp host safehost

...but `tcpshow < tcpdump.log' has this message repeated at the end of every 
packet:

    <*** No decode support for encapsulated protocol ***>

I have both /usr/lib/libcrypto.so (base) and /usr/local/lib/libcrypto.so 
(port) installed, which I think may be causing some kind of a conflict. IPSec 
is working fine between the two computers. Here's the output of the nm 
command on the crypto libraries...

# nm /usr/local/lib/libcrypto.* | grep BF_cbc_encrypt
00000840 T BF_cbc_encrypt
         U BF_cbc_encrypt
00049830 T BF_cbc_encrypt
00049830 T BF_cbc_encrypt
[root@octo]-[/var/log]# nm /usr/lib/libcrypto.* | grep BF_cbc_encrypt
         U BF_cbc_encrypt
00000868 T BF_cbc_encrypt


And another command....

# ldd `which tcpdump`
/usr/sbin/tcpdump:
        libpcap.so.2 => /usr/lib/libpcap.so.2 (0x280a9000)
        libc.so.4 => /usr/lib/libc.so.4 (0x280c5000)


Any help is appreciated. TIA

From owner-freebsd-ipfw@FreeBSD.ORG  Tue Dec  2 18:28:23 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 443C816A4CE
	for <freebsd-ipfw@freebsd.org>; Tue,  2 Dec 2003 18:28:23 -0800 (PST)
Received: from renown.cnchost.com (renown.concentric.net [207.155.248.7])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5E8A543FE5
	for <freebsd-ipfw@freebsd.org>; Tue,  2 Dec 2003 18:28:22 -0800 (PST)
	(envelope-from sahafeez@edgefocus.com)
Received: from [10.0.143.250] (064-186-248-138.custnet.redwired.net
	[64.186.248.138] (may be forged))	by renown.cnchost.com
	id VAA21902; Tue, 2 Dec 2003 21:28:21 -0500 (EST)
	[ConcentricHost SMTP Relay 1.16]
Errors-To: <sahafeez@edgefocus.com>
In-Reply-To: <20031201154231.M38868-100000@tyberius.abccom.bc.ca>
References: <20031201154231.M38868-100000@tyberius.abccom.bc.ca>
Mime-Version: 1.0 (Apple Message framework v606)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <5C6FE088-2538-11D8-AE73-003065F1EE08@edgefocus.com>
Content-Transfer-Encoding: 7bit
From: Sean Hafeez <sahafeez@edgefocus.com>
Date: Tue, 2 Dec 2003 18:28:20 -0800
To: Jon Simola <jon@abccom.bc.ca>
X-Mailer: Apple Mail (2.606)
cc: freebsd-ipfw@freebsd.org
Subject: Re: MAN page example vs. this?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2003 02:28:23 -0000

Thank you for the info. One or 2 questions if I could?
On Dec 1, 2003, at 4:03 PM, Jon Simola wrote:
>>
>> ipfw add pipe 1 ip from any to any in recv rl1
>> ipfw add pipe 2 ip from any to any out xmit rl1
>> ipfw pipe 1 config mask src-ip 0xffffffff bw 200kbits/s
>> ipfw pipe 2 config mask dst-ip 0xffffffff bw 200kbits/s
>>
>> are these 2 examples functionally the same? if not what is the
>> difference?
>
> You're forcing the interface. Be careful, as packets may flow through 
> in
> ways you don't expect.
>

Such as? There are 2 interfaces, rl0 & rl1. rl0 is the internet side, 
rl1 the internal. What could I miss?

>> also in the first example, if the network was changed to
>> 192.168.0.0/23, the mask would be 0x000003ff (255.255.254.0) ? it is a
>> reverse mask like a cisco, right?
>
> That mask has nothing to do with a network mask. It's a simple bitmask,
> used to pick out the bits in the src/dst ip/port combinations that are
> used to hash the packets into a unique bucket.
>
> If you used "mask src-ip 0x00000001" you would be sorting the packets 
> into
> buckets (and queues) based on whether the source IP's last octet was 
> even
> or odd.

So 0xffffffff would match one user to one website, etc...?

In doing what I am doing am I limiting each user (IP) to a total of 
200kbits or 200kbits for each user for every pipe they open?

Thanks!

From owner-freebsd-ipfw@FreeBSD.ORG  Wed Dec  3 08:41:41 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A146116A4CE
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 08:41:41 -0800 (PST)
Received: from mail.1wisp.com (uslec-66-255-6-131.cust.uslec.net
	[66.255.6.131])	by mx1.FreeBSD.org (Postfix) with ESMTP id 086E643FD7
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 08:41:39 -0800 (PST)
	(envelope-from tscrum@1wisp.com)
Received: from 1wispadmin ([192.168.1.94])
	(authenticated)
	by mail.1wisp.com (8.11.6/8.11.6) with ESMTP id hB3Gex212370;
	Wed, 3 Dec 2003 11:41:00 -0500
Message-ID: <0ccd01c3b9bc$3e42c7e0$5e01a8c0@1wispadmin>
From: "Thomas S. Crum - 1WISP, Inc." <tscrum@1wisp.com>
To: "Sean Hafeez" <sahafeez@edgefocus.com>,
	<freebsd-ipfw@freebsd.org>
References: <20031201154231.M38868-100000@tyberius.abccom.bc.ca>
	<5C6FE088-2538-11D8-AE73-003065F1EE08@edgefocus.com>
Date: Wed, 3 Dec 2003 11:40:58 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Subject: Re: MAN page example vs. this?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2003 16:41:41 -0000

0xffffffff is simply matching all ips that it sees.  So what it is doing is
saying to any ip, yes you mtach my rule then it is putting it into the pipe
and the bandwidth you specify.  If only 1 ip is using it then it would have
what you are specifying for speed, but also EVERY other ip would be forced
into the same rule as well.  If you are planning to have multiple ips, i
would suggest queuing the traffic first then have the queue run through the
pipe.  This way all ips would shre evenly.

Best,
Tom Crum



----- Original Message ----- 
From: "Sean Hafeez" <sahafeez@edgefocus.com>
To: "Jon Simola" <jon@abccom.bc.ca>
Cc: <freebsd-ipfw@freebsd.org>
Sent: Tuesday, December 02, 2003 9:28 PM
Subject: Re: MAN page example vs. this?


> Thank you for the info. One or 2 questions if I could?
> On Dec 1, 2003, at 4:03 PM, Jon Simola wrote:
> >>
> >> ipfw add pipe 1 ip from any to any in recv rl1
> >> ipfw add pipe 2 ip from any to any out xmit rl1
> >> ipfw pipe 1 config mask src-ip 0xffffffff bw 200kbits/s
> >> ipfw pipe 2 config mask dst-ip 0xffffffff bw 200kbits/s
> >>
> >> are these 2 examples functionally the same? if not what is the
> >> difference?
> >
> > You're forcing the interface. Be careful, as packets may flow through
> > in
> > ways you don't expect.
> >
>
> Such as? There are 2 interfaces, rl0 & rl1. rl0 is the internet side,
> rl1 the internal. What could I miss?
>
> >> also in the first example, if the network was changed to
> >> 192.168.0.0/23, the mask would be 0x000003ff (255.255.254.0) ? it is a
> >> reverse mask like a cisco, right?
> >
> > That mask has nothing to do with a network mask. It's a simple bitmask,
> > used to pick out the bits in the src/dst ip/port combinations that are
> > used to hash the packets into a unique bucket.
> >
> > If you used "mask src-ip 0x00000001" you would be sorting the packets
> > into
> > buckets (and queues) based on whether the source IP's last octet was
> > even
> > or odd.
>
> So 0xffffffff would match one user to one website, etc...?
>
> In doing what I am doing am I limiting each user (IP) to a total of
> 200kbits or 200kbits for each user for every pipe they open?
>
> Thanks!
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>

From owner-freebsd-ipfw@FreeBSD.ORG  Wed Dec  3 09:38:05 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 23D2216A4CE
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 09:38:05 -0800 (PST)
Received: from tyberius.abccom.bc.ca (tyberius.abccom.bc.ca [204.239.167.97])
	by mx1.FreeBSD.org (Postfix) with SMTP id 6F99F43F93
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 09:38:03 -0800 (PST)
	(envelope-from jon@abccom.bc.ca)
Received: (qmail 56045 invoked by uid 1000); 3 Dec 2003 17:38:21 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 3 Dec 2003 17:38:21 -0000
Date: Wed, 3 Dec 2003 09:38:21 -0800 (PST)
From: Jon Simola <jon@abccom.bc.ca>
To: Sean Hafeez <sahafeez@edgefocus.com>
In-Reply-To: <5C6FE088-2538-11D8-AE73-003065F1EE08@edgefocus.com>
Message-ID: <20031203090803.R38868-100000@tyberius.abccom.bc.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-ipfw@freebsd.org
Subject: Re: MAN page example vs. this?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2003 17:38:05 -0000

On Tue, 2 Dec 2003, Sean Hafeez wrote:

> Thank you for the info. One or 2 questions if I could?

Trying to help as much as I can. My situation is a fairly unique
application I believe, so my experiences are somewhat unique as well.

> > You're forcing the interface. Be careful, as packets may flow through
> > in ways you don't expect.
>
> Such as? There are 2 interfaces, rl0 & rl1. rl0 is the internet side,
> rl1 the internal. What could I miss?

Well, packets destined or sourced by the firewall itself, packets flowing
backwards because of spoofing, or just people plugging themselves into the
network at the wrong place. I've had to be careful as my firewalling
bridge (switch) has 5 interfaces, so I've placed more emphasis on keeping
track of IP addresses.

> > If you used "mask src-ip 0x00000001" you would be sorting the packets
> > into buckets (and queues) based on whether the source IP's last octet was
> > even or odd.
>
> So 0xffffffff would match one user to one website, etc...?

That would match one user. If you only have a single /24 behind your
firewall note that the following rulesets would be equivalent:

ipfw pipe 1 config src-mask 0xffffffff
ipfw pipe 2 config src-mask 0x000000ff
ipfw pipe 1 ip from any to any recv rl1 // from the internal network
ipfw pipe 2 ip from 192.168.0.0/24 to any // from an internal network

The only difference that I can think of offhand for that is that a "pipe
show" would give you "192.168.0.34" on pipe 1, and "0.0.0.34" on pipe 2.

> In doing what I am doing am I limiting each user (IP) to a total of
> 200kbits or 200kbits for each user for every pipe they open?

If you wanted to do that, your pipe config would be
ipfw pipe 5 config bw 200Kbits/sec mask all
ipfw pipe 5 ip from any to any recv rl0

That might be entertaining to try, I've been meaning to slow down the P2P
sharing around here.

---
Jon Simola <jon@abccom.bc.ca> | "In the near future - corporate networks
    Systems Administrator     |  reach out to the stars, electrons and light
     ABC  Communications      |  flow throughout the universe." -- GITS

From owner-freebsd-ipfw@FreeBSD.ORG  Wed Dec  3 17:10:29 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 74AB816A4CE
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 17:10:29 -0800 (PST)
Received: from exchange.wan.no (exchange.wan.no [80.86.128.88])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A5A0E43FE1
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 17:10:27 -0800 (PST)
	(envelope-from sten.daniel.sorsdal@wan.no)
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 4 Dec 2003 02:10:24 +0100
Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F07DF7A@exchange.wanglobal.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: multiple pipes cause slowdown
thread-index: AcO0XhW25x9z3oTKRNiMQzMZnvV6mQFnuKyA
From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no>
To: "Vector" <freebsd@itpsg.com>, <freebsd-ipfw@freebsd.org>
Subject: RE: multiple pipes cause slowdown
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Dec 2003 01:10:29 -0000


I read somewhere that dummynet was designed to simulate different =
network connections.
So dummynet is not at fault here, the effects congestion has on tcp is.
Use queues to let the small ACK's have higher priority through the =
pipes.
The effect you describe for the wireless is the same thing only with a =
few more variables (packetloss/retransmission/etc).


> -----Original Message-----
> From: Vector [mailto:freebsd@itpsg.com]=20
> Sent: 26. november 2003 21:43
> To: freebsd-ipfw@freebsd.org
> Subject: multiple pipes cause slowdown
>=20
> I've got a FreeBSD system setup and I'm using dummynet to=20
> manage bandwidth.
> Here is what I am seeing:
>=20
> We are communicating with a server on a 100Mbit ethernet=20
> segment in the
> freebsd box as fxp0 and an 11Mbit wireless client that is=20
> getting throttled
> with ipfw pipes.
> If I add two pipes limiting my two clients A and B to 1Mbit=20
> each then here
> is what happens.
>=20
> Client A does a transfer to/from the server and gets 1Mbps up=20
> and 1Mbps down
> Client B does a transfer to/from the server and gets 1Mbps up=20
> and 1Mbps down
> Clients A & B do simultaneous transfers to the server and=20
> each get between
> 670 and 850 Kbps
>=20
> If I delete the pipes and the firewall rules, they behave like regular
> 11Mbit unthrottled clients sharing the available wireless bandwidth
> (although not necessarily equally).
>=20
> It gets worse when I start doing 3 or 4 clients each at=20
> 1Mbit, I've also
> tried setting up 4 clients at 512Kbps and the performance=20
> does the same
> thing, essentially gets cut significantly the more pipes we=20
> have.  Here are
> the rules I'm using:
>=20
> ipfw add 100 pipe 100 all from any to 192.168.1.50 xmit wi0
> ipfw add 100 pipe 5100 all from 192.168.1.50 to any recv wi0
> ipfw pipe 100 config bw 1024Kbits/s
> ipfw pipe 5100 config bw 1024Kbits/s
>=20
> ipfw add 101 pipe 101 all from any to 192.168.1.51 xmit wi0
> ipfw add 101 pipe 5101 all from 192.168.1.51 to any recv wi0
> ipfw pipe 101 config bw 1024Kbits/s
> ipfw pipe 5101 config bw 1024Kbits/s
>=20
> I've played with using in/out instead of recv/xmit and even=20
> not specifying a
> direction at all (which makes traffic to the client get cut=20
> in half but
> traffic from the client remains as high as if I specify which=20
> interface to
> throttle on).  ipfw pipe list shows no dropped packets and=20
> looks like it's
> behaving normally, other than the slowdown for multiple=20
> clients.  I'm not
> specifying a delay and latency does not seem abnormally high.
>=20
> I am using 5.0 Release and I have HZ=3D1000 compiled in the kernel.
> Here are my sysctl vars:
> net.inet.ip.fw.enable: 1
> net.inet.ip.fw.autoinc_step: 100
> net.inet.ip.fw.one_pass: 0
> net.inet.ip.fw.debug: 0
> net.inet.ip.fw.verbose: 0
> net.inet.ip.fw.verbose_limit: 1
> net.inet.ip.fw.dyn_buckets: 256
> net.inet.ip.fw.curr_dyn_buckets: 256
> net.inet.ip.fw.dyn_count: 2
> net.inet.ip.fw.dyn_max: 4096
> net.inet.ip.fw.static_count: 72
> net.inet.ip.fw.dyn_ack_lifetime: 300
> net.inet.ip.fw.dyn_syn_lifetime: 20
> net.inet.ip.fw.dyn_fin_lifetime: 1
> net.inet.ip.fw.dyn_rst_lifetime: 1
> net.inet.ip.fw.dyn_udp_lifetime: 10
> net.inet.ip.fw.dyn_short_lifetime: 5
> net.inet.ip.fw.dyn_keepalive: 1
> net.link.ether.bridge_ipfw: 0
> net.link.ether.bridge_ipfw_drop: 0
> net.link.ether.bridge_ipfw_collisions: 0
> net.link.ether.bdg_fw_avg: 0
> net.link.ether.bdg_fw_ticks: 0
> net.link.ether.bdg_fw_count: 0
> net.link.ether.ipfw: 0
> net.inet6.ip6.fw.enable: 0
> net.inet6.ip6.fw.debug: 0
> net.inet6.ip6.fw.verbose: 0
> net.inet6.ip6.fw.verbose_limit: 1
>=20
>=20
> net.inet.ip.dummynet.hash_size: 64
> net.inet.ip.dummynet.curr_time: 99067502
> net.inet.ip.dummynet.ready_heap: 16
> net.inet.ip.dummynet.extract_heap: 16
> net.inet.ip.dummynet.searches: 0
> net.inet.ip.dummynet.search_steps: 0
> net.inet.ip.dummynet.expire: 1
> net.inet.ip.dummynet.max_chain_len: 16
> net.inet.ip.dummynet.red_lookup_depth: 256
> net.inet.ip.dummynet.red_avg_pkt_size: 512
> net.inet.ip.dummynet.red_max_pkt_size: 1500
>=20
> Am I just doing something stupid or does the dummynet/QoS=20
> implementation in
> FreeBSD need some work.  If so, I may be able to help and contribute.
> Thanks,
>=20
> vec
>=20
>=20
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to=20
> "freebsd-ipfw-unsubscribe@freebsd.org"
>=20
>=20

From owner-freebsd-ipfw@FreeBSD.ORG  Wed Dec  3 18:56:07 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0A59A16A4CE
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 18:56:07 -0800 (PST)
Received: from makeworld.com (makeworld.com [12.15.124.245])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 481B543F3F
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 18:56:04 -0800 (PST)
	(envelope-from racerx@makeworld.com)
Received: from evrtwa1-ar12-4-46-162-188.evrtwa1.dsl-verizon.net
	(evrtwa1-ar12-4-46-162-188.evrtwa1.dsl-verizon.net [4.46.162.188])
	by makeworld.com (Postfix) with ESMTP id 61B3B3C
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 20:57:42 -0600 (CST)
From: Chris <racerx@makeworld.com>
To: freebsd-ipfw@freebsd.org
Date: Wed, 3 Dec 2003 20:55:58 -0600
User-Agent: KMail/1.5.4
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200312032055.58158.racerx@makeworld.com>
Subject: ipfw and ssh example
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Dec 2003 02:56:07 -0000

Hiya folks.

	Please show me an example that I might use if I want to allow only one IP 
address into a box via ssh, yet deny all others.

I thought I could do this in the hosts.allow, but I didn't have any luck.

Thank you in advance.
-- 

Best regards,
                 Chris
______________________________________________________________________

PGP Fingerprint = D976 2575 D0B4 E4B0 45CC AA09 0F93 FF80 C01B C363

PGP Mail encouraged / preferred - keys available on common key servers
______________________________________________________________________
       01010010011000010110001101100101011100100101100000000000


From owner-freebsd-ipfw@FreeBSD.ORG  Wed Dec  3 19:14:12 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A32CD16A4CE
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 19:14:12 -0800 (PST)
Received: from mail2.northnetworks.ca (dev.eagle.ca [209.167.58.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D4C0B43FA3
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 19:14:08 -0800 (PST)
	(envelope-from iaccounts@northnetworks.ca)
Received: from [127.0.0.1] (dev.eagle.ca [209.167.58.10])
	hB43CJCn049498;	Wed, 3 Dec 2003 22:12:20 -0500 (EST)
	(envelope-from iaccounts@northnetworks.ca)
From: Steve Bertrand <iaccounts@northnetworks.ca>
To: Chris <racerx@makeworld.com>
In-Reply-To: <200312032055.58158.racerx@makeworld.com>
References: <200312032055.58158.racerx@makeworld.com>
Content-Type: text/plain
Organization: Northumberland Network Services
Message-Id: <1070507627.416.90.camel@ptp.northnetworks.ca>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.5 
Date: Wed, 03 Dec 2003 22:13:47 -0500
Content-Transfer-Encoding: 7bit
cc: freebsd-ipfw@freebsd.org
Subject: Re: ipfw and ssh example
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: iaccounts@northnetworks.ca
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Dec 2003 03:14:12 -0000

On Wed, 2003-12-03 at 21:55, Chris wrote:
> Hiya folks.
> 
> 	Please show me an example that I might use if I want to allow only one IP 
> address into a box via ssh, yet deny all others.

The following will allow ssh from 192.168.1.3 to your box in through the
'rl0' interface, and deny all other ssh traffic to the box.

# ipfw add 10 allow tcp from 192.168.1.3 to me 22 in via rl0 keep-state
# ipfw add 11 deny tcp from any to me 22

Hope this helps.

Steve

-- 

Steve Bertrand
President/CTO,
Northumberland Network Services

t: 905.352.2688
w: www.northnetworks.ca

From owner-freebsd-ipfw@FreeBSD.ORG  Wed Dec  3 19:20:50 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2202516A4CF
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 19:20:50 -0800 (PST)
Received: from makeworld.com (makeworld.com [12.15.124.245])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5DBE043FE1
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 19:20:45 -0800 (PST)
	(envelope-from racerx@makeworld.com)
Received: from evrtwa1-ar12-4-46-162-188.evrtwa1.dsl-verizon.net
	(evrtwa1-ar12-4-46-162-188.evrtwa1.dsl-verizon.net [4.46.162.188])
	by makeworld.com (Postfix) with ESMTP
	id E458839; Wed,  3 Dec 2003 21:22:20 -0600 (CST)
From: Chris <racerx@makeworld.com>
To: iaccounts@northnetworks.ca
Date: Wed, 3 Dec 2003 21:20:30 -0600
User-Agent: KMail/1.5.4
References: <200312032055.58158.racerx@makeworld.com>
	<1070507627.416.90.camel@ptp.northnetworks.ca>
In-Reply-To: <1070507627.416.90.camel@ptp.northnetworks.ca>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200312032120.30792.racerx@makeworld.com>
cc: freebsd-ipfw@freebsd.org
Subject: Re: ipfw and ssh example
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Dec 2003 03:20:50 -0000

On Wednesday 03 December 2003 09:13 pm, Steve Bertrand wrote:
> On Wed, 2003-12-03 at 21:55, Chris wrote:
> > Hiya folks.
> >
> > 	Please show me an example that I might use if I want to allow only one
> > IP address into a box via ssh, yet deny all others.
>
> The following will allow ssh from 192.168.1.3 to your box in through the
> 'rl0' interface, and deny all other ssh traffic to the box.
>
> # ipfw add 10 allow tcp from 192.168.1.3 to me 22 in via rl0 keep-state
> # ipfw add 11 deny tcp from any to me 22

How about this:
# ipfw add 10 allow tcp from 192.168.1.3-10 to me 22 in via rl0 keep-state

Allowing a range of IP's?

BTW - Thank you everyone.
-- 

Best regards,
                 Chris
______________________________________________________________________

PGP Fingerprint = D976 2575 D0B4 E4B0 45CC AA09 0F93 FF80 C01B C363

PGP Mail encouraged / preferred - keys available on common key servers
______________________________________________________________________
       01010010011000010110001101100101011100100101100000000000


From owner-freebsd-ipfw@FreeBSD.ORG  Wed Dec  3 19:50:54 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A3BF816A4CE
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 19:50:54 -0800 (PST)
Received: from makeworld.com (makeworld.com [12.15.124.245])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BA71C43FB1
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 19:50:53 -0800 (PST)
	(envelope-from racerx@makeworld.com)
Received: from evrtwa1-ar12-4-46-162-188.evrtwa1.dsl-verizon.net
	(evrtwa1-ar12-4-46-162-188.evrtwa1.dsl-verizon.net [4.46.162.188])
	by makeworld.com (Postfix) with ESMTP
	id 9801D39; Wed,  3 Dec 2003 21:52:27 -0600 (CST)
From: Chris <racerx@makeworld.com>
To: iaccounts@northnetworks.ca
Date: Wed, 3 Dec 2003 21:50:43 -0600
User-Agent: KMail/1.5.4
References: <200312032055.58158.racerx@makeworld.com>
	<1070507627.416.90.camel@ptp.northnetworks.ca>
	<200312032120.30792.racerx@makeworld.com>
In-Reply-To: <200312032120.30792.racerx@makeworld.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200312032150.43066.racerx@makeworld.com>
cc: freebsd-ipfw@freebsd.org
Subject: Re: ipfw and ssh example
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Dec 2003 03:50:54 -0000

On Wednesday 03 December 2003 09:20 pm, Chris wrote:
> On Wednesday 03 December 2003 09:13 pm, Steve Bertrand wrote:
> > On Wed, 2003-12-03 at 21:55, Chris wrote:
> > > Hiya folks.
> > >
> > > 	Please show me an example that I might use if I want to allow only one
> > > IP address into a box via ssh, yet deny all others.
> >
> > The following will allow ssh from 192.168.1.3 to your box in through the
> > 'rl0' interface, and deny all other ssh traffic to the box.
> >
> > # ipfw add 10 allow tcp from 192.168.1.3 to me 22 in via rl0 keep-state
> > # ipfw add 11 deny tcp from any to me 22
>
> How about this:
> # ipfw add 10 allow tcp from 192.168.1.3-10 to me 22 in via rl0 keep-state
>
> Allowing a range of IP's?

Never mind folks - Here's my end result.
 ${fwcmd} add 61200 allow log tcp from 200.200.200.0/24 to ${ip} 22 keep-state
 ${fwcmd} add 61210 deny log tcp from any to any 22

Thanks again to all then helped out.
-- 

Best regards,
                 Chris
______________________________________________________________________

PGP Fingerprint = D976 2575 D0B4 E4B0 45CC AA09 0F93 FF80 C01B C363

PGP Mail encouraged / preferred - keys available on common key servers
______________________________________________________________________
       01010010011000010110001101100101011100100101100000000000


From owner-freebsd-ipfw@FreeBSD.ORG  Wed Dec  3 20:00:36 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1268516A4CE
	for <ipfw@hub.freebsd.org>; Wed,  3 Dec 2003 20:00:36 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 56A4B43F93
	for <ipfw@hub.freebsd.org>; Wed,  3 Dec 2003 20:00:35 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id hB440ZFY020285
	for <ipfw@freefall.freebsd.org>; Wed, 3 Dec 2003 20:00:35 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.9/8.12.9/Submit) id hB440ZE9020284;
	Wed, 3 Dec 2003 20:00:35 -0800 (PST)
	(envelope-from gnats)
Date: Wed, 3 Dec 2003 20:00:35 -0800 (PST)
Message-Id: <200312040400.hB440ZE9020284@freefall.freebsd.org>
To: ipfw@FreeBSD.org
From: Jed Clear <clear@alum.mit.edu>
Subject: Re: kern/46080: [PATCH] logamount in ipfw2 does not default to 
 net.inet.ip.fw.verbose_limit
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Jed Clear <clear@alum.mit.edu>
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Dec 2003 04:00:36 -0000

The following reply was made to PR kern/46080; it has been noted by GNATS.

From: Jed Clear <clear@alum.mit.edu>
To: freebsd-gnats-submit@FreeBSD.org, daniel+bsd@pelleg.org
Cc:  
Subject: Re: kern/46080: [PATCH] logamount in ipfw2 does not default to 
 net.inet.ip.fw.verbose_limit
Date: Wed, 03 Dec 2003 22:57:55 -0500

 This still seems to be a mis-feature in 4.9-R.
 
 The patch seems viable in 4.9, although I applied it by hand.
 
 How do we get the patch noticed for inclusion in stable?
 
 -Jed

From owner-freebsd-ipfw@FreeBSD.ORG  Wed Dec  3 20:40:21 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0D8E116A4D2
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 20:40:16 -0800 (PST)
Received: from mail2.northnetworks.ca (dev.eagle.ca [209.167.58.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E35EE43FDF
	for <freebsd-ipfw@freebsd.org>; Wed,  3 Dec 2003 20:40:14 -0800 (PST)
	(envelope-from iaccounts@northnetworks.ca)
Received: from [127.0.0.1] (dev.eagle.ca [209.167.58.10])
	hB44cPCn049748;	Wed, 3 Dec 2003 23:38:26 -0500 (EST)
	(envelope-from iaccounts@northnetworks.ca)
From: Steve Bertrand <iaccounts@northnetworks.ca>
To: Chris <racerx@makeworld.com>
In-Reply-To: <200312032120.30792.racerx@makeworld.com>
References: <200312032055.58158.racerx@makeworld.com>
	 <1070507627.416.90.camel@ptp.northnetworks.ca>
	 <200312032120.30792.racerx@makeworld.com>
Content-Type: text/plain
Organization: Northumberland Network Services
Message-Id: <1070512792.416.109.camel@ptp.northnetworks.ca>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.5 
Date: Wed, 03 Dec 2003 23:39:53 -0500
Content-Transfer-Encoding: 7bit
cc: freebsd-ipfw@freebsd.org
Subject: Re: ipfw and ssh example
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: iaccounts@northnetworks.ca
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Dec 2003 04:40:21 -0000


> How about this:
> # ipfw add 10 allow tcp from 192.168.1.3-10 to me 22 in via rl0 keep-state
> 

Sure, but the question was 1 IP. With IPFW2 (after July 2002), you can
even do this:

safenets="{ 192.168.1.0/24 or 192.168.2.0/24 or 10.0.2.0/24 }"

$cmd 20 allow tcp from $safenets to me 22 in via rl0 keep-state
$cmd 21 deny tcp from any to me 22 

Which would allow all computers from all three subnets, saving you from
writing rules for each subnet.

Steve

> Allowing a range of IP's?
> 
> BTW - Thank you everyone.
-- 

Steve Bertrand
President/CTO,
Northumberland Network Services

t: 905.352.2688
w: www.northnetworks.ca

From owner-freebsd-ipfw@FreeBSD.ORG  Thu Dec  4 07:55:15 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7139316A4CE
	for <freebsd-ipfw@freebsd.org>; Thu,  4 Dec 2003 07:55:15 -0800 (PST)
Received: from p3.saignon.net (66-146-166-52.skyriver.net [66.146.166.52])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 06C3C43FE9
	for <freebsd-ipfw@freebsd.org>; Thu,  4 Dec 2003 07:55:12 -0800 (PST)
	(envelope-from tony@saign.com)
Received: (qmail 65643 invoked by uid 89); 4 Dec 2003 15:55:06 -0000
Received: from unknown (HELO ?172.17.1.20?) (tony@saign.com@66.146.166.53)
  by 66-146-166-52.skyriver.net with SMTP; 4 Dec 2003 15:55:06 -0000
From: Tony Saign <tony@saign.com>
To: freebsd-ipfw@freebsd.org
Content-Type: text/plain
Message-Id: <1070553273.9448.19.camel@frankenmobl>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.5 (1.4.5-7) 
Date: Thu, 04 Dec 2003 07:54:33 -0800
Content-Transfer-Encoding: 7bit
Subject: NAT box w/ 3 NICS and rc.firewall script?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Dec 2003 15:55:15 -0000

Running a 5.2 box w/ NAT and a bridged wlan NIC as an AP.
I'd like to protect the machine, and everything behind it.
Can anyone recommend a good ruleset, or will the rc.firewall script be a
good place to start???

fxp0 = internet WWW/DNS
fxp1 = 172.17.1.1 = DHCP/SMB/NFS/WWW/NAT/DNS
ath0 = bridged to fxp1

Thanks in advance,
-Tony

From owner-freebsd-ipfw@FreeBSD.ORG  Thu Dec  4 09:53:45 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F345D16A4CE
	for <freebsd-ipfw@freebsd.org>; Thu,  4 Dec 2003 09:53:44 -0800 (PST)
Received: from warspite.cnchost.com (warspite.concentric.net [207.155.248.9])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2071C43FDD
	for <freebsd-ipfw@freebsd.org>; Thu,  4 Dec 2003 09:53:43 -0800 (PST)
	(envelope-from sahafeez@edgefocus.com)
Received: from [10.0.143.243] (064-186-248-138.custnet.redwired.net
	[64.186.248.138] (may be forged))	by warspite.cnchost.com
	id MAA28303; Thu, 4 Dec 2003 12:53:41 -0500 (EST)
	[ConcentricHost SMTP Relay 1.16]
Errors-To: <sahafeez@edgefocus.com>
In-Reply-To: <0ccd01c3b9bc$3e42c7e0$5e01a8c0@1wispadmin>
References: <20031201154231.M38868-100000@tyberius.abccom.bc.ca>
	<5C6FE088-2538-11D8-AE73-003065F1EE08@edgefocus.com>
	<0ccd01c3b9bc$3e42c7e0$5e01a8c0@1wispadmin>
Mime-Version: 1.0 (Apple Message framework v606)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <CAE280D0-2682-11D8-B9B4-003065F1EE08@edgefocus.com>
Content-Transfer-Encoding: 7bit
From: Sean Hafeez <sahafeez@edgefocus.com>
Date: Thu, 4 Dec 2003 09:53:39 -0800
To: "Thomas S. Crum - 1WISP, Inc." <tscrum@1wisp.com>
X-Mailer: Apple Mail (2.606)
cc: freebsd-ipfw@freebsd.org
Subject: Re: MAN page example vs. this?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Dec 2003 17:53:45 -0000

i am a little confused. using

ipfw add pipe 1 ip from any to any in recv rl1
ipfw add pipe 2 ip from any to any out xmit rl1
ipfw pipe 1 config mask src-ip 0xffffffff bw 200kbits/s
ipfw pipe 2 config mask dst-ip 0xffffffff bw 200kbits/s

are you saying that i am limiting all traffic to lets say, www.cnn.com 
for all users to 200k. so the 1st person gets 200kbits and then when a 
second pulls down at the same time they both get 100kbits and 3 at a 
time is 67kbits each? if so that is not what i want to do!

i would like each ip behind the firewall to be limited to a total of 
200kbits to anyway all the time - the 200kbits being their max thru-put 
some of all apps they are running, ie smtp, pop, ftp, http.


thanks!

On Dec 3, 2003, at 8:40 AM, Thomas S. Crum - 1WISP, Inc. wrote:

> 0xffffffff is simply matching all ips that it sees.  So what it is 
> doing is
> saying to any ip, yes you mtach my rule then it is putting it into the 
> pipe
> and the bandwidth you specify.  If only 1 ip is using it then it would 
> have
> what you are specifying for speed, but also EVERY other ip would be 
> forced
> into the same rule as well.  If you are planning to have multiple ips, 
> i
> would suggest queuing the traffic first then have the queue run 
> through the
> pipe.  This way all ips would shre evenly.
>
> Best,
> Tom Crum
>
>
>
> ----- Original Message -----
> From: "Sean Hafeez" <sahafeez@edgefocus.com>
> To: "Jon Simola" <jon@abccom.bc.ca>
> Cc: <freebsd-ipfw@freebsd.org>
> Sent: Tuesday, December 02, 2003 9:28 PM
> Subject: Re: MAN page example vs. this?
>
>
>> Thank you for the info. One or 2 questions if I could?
>> On Dec 1, 2003, at 4:03 PM, Jon Simola wrote:
>>>>
>>>> ipfw add pipe 1 ip from any to any in recv rl1
>>>> ipfw add pipe 2 ip from any to any out xmit rl1
>>>> ipfw pipe 1 config mask src-ip 0xffffffff bw 200kbits/s
>>>> ipfw pipe 2 config mask dst-ip 0xffffffff bw 200kbits/s
>>>>
>>>> are these 2 examples functionally the same? if not what is the
>>>> difference?
>>>
>>> You're forcing the interface. Be careful, as packets may flow through
>>> in
>>> ways you don't expect.
>>>
>>
>> Such as? There are 2 interfaces, rl0 & rl1. rl0 is the internet side,
>> rl1 the internal. What could I miss?
>>
>>>> also in the first example, if the network was changed to
>>>> 192.168.0.0/23, the mask would be 0x000003ff (255.255.254.0) ? it 
>>>> is a
>>>> reverse mask like a cisco, right?
>>>
>>> That mask has nothing to do with a network mask. It's a simple 
>>> bitmask,
>>> used to pick out the bits in the src/dst ip/port combinations that 
>>> are
>>> used to hash the packets into a unique bucket.
>>>
>>> If you used "mask src-ip 0x00000001" you would be sorting the packets
>>> into
>>> buckets (and queues) based on whether the source IP's last octet was
>>> even
>>> or odd.
>>
>> So 0xffffffff would match one user to one website, etc...?
>>
>> In doing what I am doing am I limiting each user (IP) to a total of
>> 200kbits or 200kbits for each user for every pipe they open?
>>
>> Thanks!
>>
>> _______________________________________________
>> freebsd-ipfw@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>> To unsubscribe, send any mail to 
>> "freebsd-ipfw-unsubscribe@freebsd.org"
>>
>
>

From owner-freebsd-ipfw@FreeBSD.ORG  Thu Dec  4 21:28:14 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 003A916A4CE; Thu,  4 Dec 2003 21:28:13 -0800 (PST)
Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 53BF743FDD; Thu,  4 Dec 2003 21:28:12 -0800 (PST)
	(envelope-from cristjc@comcast.net)
Received: from blossom.cjclark.org
	(c-24-6-186-224.client.comcast.net[24.6.186.224])
	by comcast.net (rwcrmhc13) with ESMTP
	id <2003120505281101500bopnge>; Fri, 5 Dec 2003 05:28:11 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
	by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hB55SA43091909;
	Thu, 4 Dec 2003 21:28:10 -0800 (PST)
	(envelope-from cristjc@comcast.net)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hB55S9h5091908;
	Thu, 4 Dec 2003 21:28:09 -0800 (PST)
	(envelope-from cristjc@comcast.net)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to
	cristjc@comcast.net using -f
Date: Thu, 4 Dec 2003 21:28:09 -0800
From: "Crist J. Clark" <cristjc@comcast.net>
To: Dr Otacon <otacon@octo.sytes.net>
Message-ID: <20031205052809.GA91506@blossom.cjclark.org>
References: <200312021028.52517.otacon@octo.sytes.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200312021028.52517.otacon@octo.sytes.net>
User-Agent: Mutt/1.4.1i
X-URL: http://people.freebsd.org/~cjc/
cc: freebsd-ipfw@FreeBSD.ORG
cc: freebsd-stable@FreeBSD.ORG
Subject: Re: tcpdump will not compile with ability to decrypt ESP
	encapsulated packets.
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: "Crist J. Clark" <cjc@FreeBSD.ORG>
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Dec 2003 05:28:14 -0000

On Tue, Dec 02, 2003 at 10:28:52AM -0700, Dr Otacon wrote:
> I'm trying to tcpdump ESP encapsulated packets with tcpdump using:
> 
>     tcpdump -w tcpdump.log -E blowfish-cbc:secret esp host safehost

Tcpdump(8) does not decrypt as it saves data in the pcap dump file. It
only decrypts on the fly as it prints packet contents.

> ...but `tcpshow < tcpdump.log' has this message repeated at the end of every 
> packet:
> 
>     <*** No decode support for encapsulated protocol ***>

Tcpshow(1) would have to decrypt the ESP data itself for this to
work.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

From owner-freebsd-ipfw@FreeBSD.ORG  Fri Dec  5 04:38:23 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E821016A4CE
	for <freebsd-ipfw@freebsd.org>; Fri,  5 Dec 2003 04:38:23 -0800 (PST)
Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 979BD43FE0
	for <freebsd-ipfw@freebsd.org>; Fri,  5 Dec 2003 04:38:21 -0800 (PST)
	(envelope-from ganbold@micom.mng.net)
Received: from [202.179.0.164] (helo=ganbold.micom.mng.net)
	by publicd.ub.mng.net with asmtp (Exim 4.24; FreeBSD 5.1)
	id 1ASFAR-000Egi-DC
	for freebsd-ipfw@freebsd.org; Fri, 05 Dec 2003 20:34:43 +0800
Message-Id: <6.0.0.22.2.20031205202453.02a0fd78@202.179.0.80>
X-Sender: ganbold@micom.mng.net@202.179.0.80
X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
Date: Fri, 05 Dec 2003 20:41:35 +0800
To: freebsd-ipfw@freebsd.org
From: Ganbold <ganbold@micom.mng.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: bridged ipfw problem in FreeBSD 5.2beta
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Dec 2003 12:38:24 -0000

Hi,

I'm new to ipfw and I have configured ipfw in Pentium 4 2GHz, 18GB HDD, 
128MB RAM computer.
This computer will work as a bridge. It has 3 Intel Pro 100Mb cards, 2 for 
bridging and 1 for just connection to this computer
from remote machine.
Bridging work just fine, but after 4 hours it doesn't work. It happened 3 
times, all after 4 hours of operation.
Machine itself was working fine, only it seems it doesn't
forward packets from internal interface to external or internal interface 
didn't receive anything.

Can somebody tell me where I did wrong in config files? Is it problem with 
NIC or problem with bridge?
Or is it problem related to arp?

I'm asking a lot of questions in one time, but I really need to install and 
use bridging firewall and
I hope somebody in this list point me to the right direction.


thanks in advance,

Ganbold Ts.
Mongolia

------------------------------------------------------------------------------------------------------------------------------------------------

In kernel config I included:
---------------------------------------------------------------------------------------------------
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=100

options         IPDIVERT
options         TCPDEBUG
options         IPSTEALTH
options         TCP_DROP_SYNFIN

options         DUMMYNET
options         HZ=1000
options         BRIDGE
---------------------------------------------------------------------------------------------------

In sysctl.conf I included:
---------------------------------------------------------------------------------------------------

net.link.ether.bridge_cfg=fxp0:0,fxp1:0
net.link.ether.bridge_ipfw=1
net.link.ether.bridge.enable=1

net.inet.ip.fw.one_pass=0
security.bsd.see_other_uids=0
net.link.ether.inet.max_age=1200
kern.ipc.somaxconn=1024
net.inet.tcp.sendspace=32768
net.inet.tcp.recvspace=32768

net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

net.inet.ip.fw.dyn_ack_lifetime=3600
net.inet.ip.fw.dyn_udp_lifetime=10
net.inet.ip.fw.dyn_buckets=1024
---------------------------------------------------------------------------------------------------

Following is my rc.conf script:

---------------------------------------------------------------------------------------------------
network_interfaces="fxp0 fxp1 fxp2 lo0"

accounting_enable="YES"
hostname="fw.ub.mng.net"
defaultrouter="202.179.xxx.xxx"
ifconfig_fxp1="media 100baseTX mediaopt full-duplex"
ifconfig_fxp2="inet 202.179.xxx.xxx netmask 255.255.255.248 media 100baseTX 
mediaopt full-duplex"

inetd_enable="YES"
kern_securelevel_enable="NO"
sendmail_enable="NONE"
sshd_enable="YES"
usbd_enable="YES"

firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="custom"
firewall_quiet="NO"

log_in_vain=1
icmp_drop_redirect="YES"
icmp_log_redirect=YES
tcp_drop_synfin="YES"
tcp_restrict_rst="YES"
---------------------------------------------------------------------------------------------------

Following is my rc.firewall part:
---------------------------------------------------------------------------------------------------
...
[Cc][Uu][Ss][Tt][Oo][Mm])

# 0 is external and 1 is internal nic
fwinterface0="fxp0"
fwinterface1="fxp1"

${fwcmd} -f flush

######################## CLASS A,B,C #########################
# Things that we have kept state on before get to go through in a hurry
${fwcmd} add 10 check-state

# Denying Class A IP spoofing.
# NOTE: REMARK these lines if you have intranet clients with Class A IP.
${fwcmd} add 20 deny all from any to 10.0.0.0/8 via fxp0
${fwcmd} add 21 deny all from 10.0.0.0/8 to any via fxp0

# Denying Class B IP spoofing.
# NOTE: REMARK these lines if you have intranet clients with Class B IP.
${fwcmd} add 22 deny all from any to 172.16.0.0/12 via fxp0
${fwcmd} add 23 deny all from 172.16.0.0/12 to any via fxp0

# Denying Class C IP spoofing.
# NOTE: REMARK these lines if you have intranet clients with Class C IP.
${fwcmd} add 24 deny all from any to 192.168.0.0/16 via fxp0
${fwcmd} add 25 deny all from 192.168.0.0/16 to any via fxp0

######################### CLASS D,E #########################

# Denying Class D, E IP spoofing.
# Refer to: draft-manning-dsua-03.txt for more information about Class D/E IP.
${fwcmd} add 26 deny all from any to 0.0.0.0/8 via fxp0
${fwcmd} add 27 deny all from 0.0.0.0/8 to any via fxp0

${fwcmd} add 28 deny all from any to 192.0.2.0/24 via fxp0
${fwcmd} add 29 deny all from 192.0.2.0/24 to any via fxp0

${fwcmd} add 30 deny all from any to 169.254.0.0/16 via fxp0
${fwcmd} add 31 deny all from 169.254.0.0/16 to any via fxp0

${fwcmd} add 32 deny all from any to 224.0.0.0/4 via fxp0
${fwcmd} add 33 deny all from 224.0.0.0/4 to any via fxp0

####################### DUMMYNET config #######################

# apply DUMMYNET bandwidth here

# micom
${fwcmd} pipe 41 config bw 0kbit/s
${fwcmd} pipe 42 config bw 0kbit/s

${fwcmd} add 60 pipe 41 all from 202.179.xxx.xxx/27 to any in via fxp1
${fwcmd} add 61 pipe 42 all from any to 202.179.xxx.xxx/27 in via fxp0

#glinkor
${fwcmd} pipe 43 config bw 128kbit/s
${fwcmd} pipe 44 config bw 128kbit/s

${fwcmd} add 62 pipe 43 all from 202.179.xxx.xxx/29 to any in via fxp1
${fwcmd} add 63 pipe 44 all from any to 202.179.xxx.xxx/29 in via fxp0

######################### STANDARDS #########################

# Allow TCP through if setup succeeded
${fwcmd} add 100 pass tcp from any to any established

# Allow the bridge machine to say anything it wants
# (if the machine is IP-less do not include these rows)
${fwcmd} add 200 pass tcp from 202.179.xxx.xxx to any setup keep-state
${fwcmd} add 210 pass udp from  202.179.xxx.xxx to any keep-state
${fwcmd} add 220 pass ip from  202.179.xxx.xxx  to any

# Allowing connections through localhost.
${fwcmd} add 300 pass all from any to any via lo0
# pass ARP
${fwcmd} add 301 pass udp from 0.0.0.0 2054 to 0.0.0.0

# Allow the inside hosts to say anything they want
${fwcmd} add pass tcp from any to any in via fxp1 setup keep-state
${fwcmd} add pass udp from any to any in via fxp1 keep-state
${fwcmd} add pass ip from any to any in via fxp1

${fwcmd} add pass tcp from any to any in via fxp2 setup keep-state
${fwcmd} add pass udp from any to any in via fxp2 keep-state
${fwcmd} add pass ip from any to any in via fxp2

######################### RESTRICTIONS #########################


# Allowing SSH,web connection and LOG all incoming connections.
${fwcmd} add pass log tcp from any to any 22 in via fxp0 setup keep-state
${fwcmd} add pass tcp from any to any 80,443 in via fxp0 setup keep-state

# Allowing and LOG all INCOMING, outgoing FTP, telnet, SMTP, POP3, ident, 
imap conections.
${fwcmd} add pass tcp from any to any 20-21,23,25,110,113,143 in via 
fxp0  setup keep-state
${fwcmd} add pass udp from any to any 20-21,23,25,110,113,143 in via fxp0 
keep-state

# Pass the "quarantine" range
${fwcmd} add pass tcp from any to any 40000-65535 in via fxp0 setup keep-state
${fwcmd} add pass udp from any to any 40000-65535 in via fxp0 keep-state

# MSN, Yahoo
${fwcmd} add pass tcp from any to any 1863,5050 in via fxp0 setup keep-state
${fwcmd} add pass udp from any to any 1863,5050 in via fxp0 keep-state

# additional MSN ports
${fwcmd} add pass tcp from any to any 6891-6901,6801,2001-2120,7801-7825 in 
via fxp0 setup keep-state
${fwcmd} add pass udp from any to any 6891-6901,6801,2001-2120,7801-7825 in 
via fxp0 keep-state

# additional h323,yahoo ports
${fwcmd} add pass tcp from any to any 
1719-1721,5000-5010,5100,5190,8010,8100 in via fxp0 setup keep-state
${fwcmd} add pass udp from any to any 
1719-1721,5000-5010,5100,5190,8010,8100 in via fxp0 keep-state

# allow radius
${fwcmd} add pass tcp from any to any 1645,1646,1812,1813 in via 
fxp0  setup keep-state
${fwcmd} add pass udp from any to any 1645,1646,1812,1813 in via fxp0 
keep-state

# Allowing mysql,Jabber,IRC,chat,SOCKS,HTTP proxy.
${fwcmd} add pass tcp from any to any 
1080,3306,5222,5223,5269,6667,8000,8080 in via fxp0  setup keep-state
${fwcmd} add pass udp from any to any 
1080,3306,5222,5223,5269,6667,8000,8080 in via fxp0 keep-state

# additional eMule ports
${fwcmd} add pass tcp from any to any 2323,4242,4243,4661-4672,7700-7800 in 
via fxp0 setup keep-state
${fwcmd} add pass udp from any to any 2323,4242,4243,4661-4672,7700-7800 in 
via fxp0 keep-state

# Allowing DNS lookups.
${fwcmd} add pass tcp from any to any 53 in via fxp0 setup keep-state
${fwcmd} add pass udp from any to any 53 in via fxp0 keep-state
${fwcmd} add pass udp from any 53 to any in via fxp0 keep-state

#${fwcmd} add pass tcp from any to any 53 out via fxp0 setup keep-state
#${fwcmd} add pass udp from any to any 53 out via fxp0 keep-state

######################### ICMP #########################

# Allowing outgoing PINGs.
# Allowing "Destination Unreachable" "Source Quench" "Time Exceeded" and 
"Bad Header".
${fwcmd} add pass icmp from any to any icmptypes 0,3,4,8,11,12

# Allowing IP fragments to pass through.
${fwcmd} add 65000 pass all from any to any frag

# Everything else is suspect
${fwcmd} add drop log ip from any to any
         ;;

---------------------------------------------------------------------------------------------------





From owner-freebsd-ipfw@FreeBSD.ORG  Fri Dec  5 06:26:35 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BFE8516A4CE
	for <freebsd-ipfw@freebsd.org>; Fri,  5 Dec 2003 06:26:35 -0800 (PST)
Received: from mail.sandvine.com (sandvine.com [199.243.201.138])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0023D43FBD
	for <freebsd-ipfw@freebsd.org>; Fri,  5 Dec 2003 06:26:33 -0800 (PST)
	(envelope-from don@sandvine.com)
Received: by mail.sandvine.com with Internet Mail Service (5.5.2657.72)
	id <XRT16DQC>; Fri, 5 Dec 2003 09:26:32 -0500
Message-ID: <FE045D4D9F7AED4CBFF1B3B813C85337035E404F@mail.sandvine.com>
From: Don Bowman <don@sandvine.com>
To: 'Ganbold' <ganbold@micom.mng.net>, freebsd-ipfw@freebsd.org
Date: Fri, 5 Dec 2003 09:26:27 -0500 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
Content-Type: text/plain;
	charset="iso-8859-1"
Subject: RE: bridged ipfw problem in FreeBSD 5.2beta
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Dec 2003 14:26:35 -0000

From: Ganbold [mailto:ganbold@micom.mng.net]

 ... bridging firewall ...

># Allowing connections through localhost.
>${fwcmd} add 300 pass all from any to any via lo0
># pass ARP
>${fwcmd} add 301 pass udp from 0.0.0.0 2054 to 0.0.0.0

the comment at least is not right, arp is not udp.

maybe something like "add 301 allow layer2 mac-type arp"
instead? 

--don

From owner-freebsd-ipfw@FreeBSD.ORG  Fri Dec  5 16:57:20 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 21E2216A4CE
	for <freebsd-ipfw@freebsd.org>; Fri,  5 Dec 2003 16:57:20 -0800 (PST)
Received: from tyberius.abccom.bc.ca (tyberius.abccom.bc.ca [204.239.167.97])
	by mx1.FreeBSD.org (Postfix) with SMTP id AECF243F75
	for <freebsd-ipfw@freebsd.org>; Fri,  5 Dec 2003 16:57:18 -0800 (PST)
	(envelope-from jon@abccom.bc.ca)
Received: (qmail 73951 invoked by uid 1000); 6 Dec 2003 00:57:35 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 6 Dec 2003 00:57:35 -0000
Date: Fri, 5 Dec 2003 16:57:35 -0800 (PST)
From: Jon Simola <jon@abccom.bc.ca>
To: freebsd-ipfw@freebsd.org
In-Reply-To: <6.0.0.22.2.20031205202453.02a0fd78@202.179.0.80>
Message-ID: <20031205163656.H38868-100000@tyberius.abccom.bc.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: bridged ipfw problem in FreeBSD 5.2beta
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Dec 2003 00:57:20 -0000

On Fri, 5 Dec 2003, Ganbold wrote:

> Bridging work just fine, but after 4 hours it doesn't work. It happened
> 3 times, all after 4 hours of operation. Machine itself was working
> fine, only it seems it doesn't forward packets from internal interface
> to external or internal interface didn't receive anything.

This sounded awfully familiar to me, so I did a little looking. I had a
similar problem that I never completely tracked down, but I believe it had
something to do with a bunch of devices (DLink DSL modems) that came
poorly configured. This was on a 4.4-STABLE era FreeBSD box. Perhaps
5.2Beta is a bit too bleeding edge for you, I'm still testing a
5.1-RELEASE box and my servers are still on the 4-STABLE track.

Anyways, at one point, there was 40 of those modems all trying to arp for
a single IP address and the bridging code was constantly spewing bridge
collision errors. After a while, the firewall completely stopped passing
traffic until rebooted.

My solution was to block the traffic from the MAC address range of those
DSL modems as the first ipfw rule.

> Can somebody tell me where I did wrong in config files? Is it problem
> with NIC or problem with bridge? Or is it problem related to arp?

My compliments on the amount of detail you've provided. I don't see
anything obvious, other that the slightly confusing aspect of explictly
numbering ipfw rules for the first half of the script.

> ${fwcmd} pipe 41 config bw 0kbit/s
> ${fwcmd} pipe 42 config bw 0kbit/s
>
> ${fwcmd} add 60 pipe 41 all from 202.179.xxx.xxx/27 to any in via fxp1
> ${fwcmd} add 61 pipe 42 all from any to 202.179.xxx.xxx/27 in via fxp0

That gave me a good chuckle, I would guess that you've shut off a
customer's access for some reason. Giving them 0 bandwidth is certainly a
solution that had never crossed my mind.

> options         TCPDEBUG
> options         IPSTEALTH

TCPDEBUG is undocumented, and IPSTEALTH may not be required. I don't use
IPSTEALTH myself, never saw a real need. Might want to try without them,
TCPDEBUG sounds scary.

> net.link.ether.inet.max_age=1200
>
> net.inet.ip.sourceroute=0
> net.inet.ip.accept_sourceroute=0
> net.inet.icmp.bmcastecho=0
> net.inet.icmp.maskrepl=0
>
> net.inet.tcp.blackhole=2
> net.inet.udp.blackhole=1
>
> net.inet.ip.fw.dyn_ack_lifetime=3600
> net.inet.ip.fw.dyn_udp_lifetime=10
> net.inet.ip.fw.dyn_buckets=1024

These look fairly good to me, I haven't had to go so far as touching most
of them on my current box (P4 2.4GHz, with 2 Intel Pro100 and a 3C905,
peaking at 40Mbit)

---
Jon Simola <jon@abccom.bc.ca> | "In the near future - corporate networks
    Systems Administrator     |  reach out to the stars, electrons and light
     ABC  Communications      |  flow throughout the universe." -- GITS

From owner-freebsd-ipfw@FreeBSD.ORG  Sat Dec  6 21:19:22 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 77B9A16A4CE
	for <freebsd-ipfw@freebsd.org>; Sat,  6 Dec 2003 21:19:22 -0800 (PST)
Received: from web20725.mail.yahoo.com (web20725.mail.yahoo.com
	[216.136.226.107])
	by mx1.FreeBSD.org (Postfix) with SMTP id 542FE43FE0
	for <freebsd-ipfw@freebsd.org>; Sat,  6 Dec 2003 21:19:20 -0800 (PST)
	(envelope-from bsdfreakish@yahoo.com)
Message-ID: <20031207051920.87731.qmail@web20725.mail.yahoo.com>
Received: from [203.24.54.144] by web20725.mail.yahoo.com via HTTP;
	Sat, 06 Dec 2003 21:19:20 PST
Date: Sat, 6 Dec 2003 21:19:20 -0800 (PST)
From: Michael Lopez <bsdfreakish@yahoo.com>
To: freebsd-ipfw@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Content-Filtered-By: Mailman/MimeDel 2.1.1
Subject: ipfw + natd + ppp
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Dec 2003 05:19:22 -0000

Hello all,
I was wondering if you guys have a good URL for ipfw + ppp (dial up) + natd for private network (exp: 192.168.0.0)  tutorials or resources ? I tried to search at google.com/bsd but hardly can't find a good one for dial up (also tried freebsd.org ; defcon.org ; freebsddiaries ; freebsdhowtos) thank you.


---------------------------------
Do you Yahoo!?
Free Pop-Up Blocker - Get it now

From owner-freebsd-ipfw@FreeBSD.ORG  Sat Dec  6 23:03:13 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1E4A816A4CF
	for <freebsd-ipfw@freebsd.org>; Sat,  6 Dec 2003 23:03:13 -0800 (PST)
Received: from mail.lphp.org (APastourelles-107-1-1-252.w80-13.abo.wanadoo.fr
	[80.13.78.252])	by mx1.FreeBSD.org (Postfix) with ESMTP id 13AF843FD7
	for <freebsd-ipfw@freebsd.org>; Sat,  6 Dec 2003 23:03:11 -0800 (PST)
	(envelope-from ajacoutot@lphp.org)
Received: from sta01 (sta01.lphp.local [192.168.0.3])
	by mail.lphp.org (8.12.10/8.12.10) with ESMTP id hB76v7YL071658;
	Sun, 7 Dec 2003 07:57:07 +0100 (CET)
	(envelope-from ajacoutot@lphp.org)
From: Antoine Jacoutot <ajacoutot@lphp.org>
To: Michael Lopez <bsdfreakish@yahoo.com>, freebsd-ipfw@freebsd.org
Date: Sun, 7 Dec 2003 08:01:46 +0100
User-Agent: KMail/1.5.4
References: <20031207051920.87731.qmail@web20725.mail.yahoo.com>
In-Reply-To: <20031207051920.87731.qmail@web20725.mail.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200312070801.46651.ajacoutot@lphp.org>
Subject: Re: ipfw + natd + ppp
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Dec 2003 07:03:13 -0000

On Sunday 07 December 2003 06:19, Michael Lopez wrote:
> I was wondering if you guys have a good URL for ipfw + ppp (dial up) + natd
> for private network (exp: 192.168.0.0)  tutorials or resources ? I tried to
> search at google.com/bsd but hardly can't find a good one for dial up (also
> tried freebsd.org ; defcon.org ; freebsddiaries ; freebsdhowtos) thank you.

This page is good IMHO:

http://renaud.waldura.com/doc/freebsd/firewall/

Antoine