From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 4 01:28:40 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06F7D16A4CE; Sun, 4 Jan 2004 01:28:40 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4D0A43D4C; Sun, 4 Jan 2004 01:28:35 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.24; FreeBSD 5.1) id 1Ad4U4-00099o-PI; Sun, 04 Jan 2004 17:23:44 +0800 Message-Id: <6.0.1.1.2.20040104165741.029d6940@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Sun, 04 Jan 2004 17:32:17 +0800 To: freebsd-ipfw@freebsd.org From: Ganbold Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-hackers@freebsd.org Subject: ipfw2 problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jan 2004 09:28:40 -0000 Hi, I'm using FreeBSD 5.2-current machine for firewall. It is configured as a bridged ipfw2 firewall. Also this machine works a a traffic shaper using ip dummynet features. The machine has 2GHz Pentium 4 CPU and 128MB RAM and 3 Intel Pro 100MB cards. 2 cards are used for bridging. Everything works fine, except sometimes it seems to be dropping some packets. When I try to browse the web, sometimes it just shows error page. This situation happens during peak hours So my guess is firewall drops packets and maybe the machine needs more RAM. Another guess is I'm using stateful features of ipfw2 and when dynamic rule count reaches maximum it just drops packets waiting to be deleted some dynamic rules. Am I right? Can somebody explain me what will happen when net.inet.ip.fw.dyn_count reaches net.inet.ip.fw.dyn_max value? Also I tried to increase the maximum value up to 8192 but it seems no result. # Added in sysctl.conf net.inet.ip.fw.dyn_max=8192 I attached my /etc/rc.firewall and /etc/sysctl.conf files. Can somebody tell me where I did wrong in config files? Should I increase the RAM? Or should I set smaller life time for dynamic rules? I hope somebody in this list point me to the right direction. Part of the /etc/rc.firewall ----------------------------------------------------------------------------------------------------------------------------- ... [Cc][Uu][Ss][Tt][Oo][Mm]) ${fwcmd} -f flush ${fwcmd} -f pipe flush # Things that we have kept state on before get to go through in a hurry ${fwcmd} add 10 check-state ${fwcmd} add 21 deny all from 10.0.0.0/8 to any via fxp0 ${fwcmd} add 23 deny all from 172.16.0.0/12 to any via fxp0 ${fwcmd} add 25 deny all from 192.168.0.0/16 to any via fxp0 ${fwcmd} add 34 deny all from 127.0.0.0/8 to any in via fxp0 ################### stop Welcia/Nachi ########################### ${fwcmd} add 35 deny icmp from any to any iplen 92 ####################### DUMMYNET config ######################### ##################### 64KB ####################################### # # selenge ${fwcmd} pipe 41 config bw 64kbit/s ${fwcmd} pipe 42 config bw 64kbit/s ${fwcmd} add 62 pipe 41 all from 202.179.x.x/30 to any in via fxp1 ${fwcmd} add 63 pipe 42 all from any to 202.179.x.x/30 in via fxp0 # khentii ${fwcmd} pipe 43 config bw 64kbit/s ${fwcmd} pipe 44 config bw 64kbit/s ${fwcmd} add 64 pipe 43 all from 202.179.x.x/30 to any in via fxp1 ${fwcmd} add 65 pipe 44 all from any to 202.179.x.x/30 in via fxp0 # arkhangai ${fwcmd} pipe 45 config bw 64kbit/s ${fwcmd} pipe 46 config bw 64kbit/s ${fwcmd} add 66 pipe 45 all from 202.179.x.x/30 to any in via fxp1 ${fwcmd} add 67 pipe 46 all from any to 202.179.x.x/30 in via fxp0 # traffic police ${fwcmd} pipe 47 config bw 64kbit/s ${fwcmd} pipe 48 config bw 64kbit/s ${fwcmd} add 68 pipe 47 all from 202.179.x.x/30,202.179.x.x/28 to any in via fxp1 ${fwcmd} add 69 pipe 48 all from any to 202.179.x.x/30,202.179.x.x/28 in via fxp0 ##################### 128KB ####################################### # # glencore ${fwcmd} pipe 49 config bw 128kbit/s ${fwcmd} pipe 50 config bw 128kbit/s ${fwcmd} add 70 pipe 49 all from 202.179.x.x/29,202.179.x.x/30 to any in via fxp1 ${fwcmd} add 71 pipe 50 all from any to 202.179.x.x/29,202.179.x.x/30 in via fxp0 # ikh tenger ${fwcmd} pipe 51 config bw 128kbit/s ${fwcmd} pipe 52 config bw 128kbit/s ${fwcmd} add 72 pipe 51 all from 202.179.x.x/29 to any in via fxp1 ${fwcmd} add 73 pipe 52 all from any to 202.179.x.x/29 in via fxp0 # xas ${fwcmd} pipe 53 config bw 128kbit/s ${fwcmd} pipe 54 config bw 128kbit/s ${fwcmd} add 74 pipe 53 all from 202.179.x.x/29,202.179.x.x/30 to any in via fxp1 ${fwcmd} add 75 pipe 54 all from any to 202.179.x.x/29,202.179.x.x/30 in via fxp0 ##################### 256KB ####################################### #mtc ${fwcmd} pipe 55 config bw 256kbit/s ${fwcmd} pipe 56 config bw 256kbit/s ${fwcmd} add 76 pipe 55 all from 202.179.x.x/30,202.179.x.x/29 to any in via fxp1 ${fwcmd} add 77 pipe 56 all from any to 202.179.x.x/30,202.179.x.x/29 in via fxp0 #gtz ${fwcmd} pipe 57 config bw 256kbit/s ${fwcmd} pipe 58 config bw 256kbit/s ${fwcmd} add 78 pipe 57 all from 202.179.x.x/28 to any in via fxp1 ${fwcmd} add 79 pipe 58 all from any to 202.179.x.x/28 in via fxp0 ######################### STANDARDS ######################### # Allow TCP through if setup succeeded ${fwcmd} add 100 pass tcp from any to any established # Allowing connections through localhost. ${fwcmd} add 300 pass all from any to any via lo0 # pass ARP ${fwcmd} add 301 allow layer2 mac-type arp # Allow the inside hosts to say anything they want ${fwcmd} add pass tcp from any to any in via fxp1 setup keep-state ${fwcmd} add pass udp from any to any in via fxp1 keep-state ${fwcmd} add pass ip from any to any in via fxp1 # Allowing SSH,web connection and LOG all incoming connections. ${fwcmd} add pass tcp from any to any 22 in via fxp0 setup keep-state ${fwcmd} add pass tcp from any to any 80,443 in via fxp0 setup keep-state # Allowing and LOG all INCOMING, outgoing FTP, telnet, SMTP, POP3, ident, imap conections. ${fwcmd} add pass tcp from any to any 20-21,23,25,110,113,143 in via fxp0 setup keep-state ${fwcmd} add pass udp from any to any 20-21,23,25,110,113,143 in via fxp0 keep-state # Pass the "quarantine" range ${fwcmd} add pass tcp from any to any 18198,18211,40000-65535 in via fxp0 setup keep-state ${fwcmd} add pass udp from any to any 18198,18211,40000-65535 in via fxp0 keep-state # MSN, Yahoo ports ${fwcmd} add pass tcp from any to any 1863,2001-2120,6801,6891-6901,7801-7825 in via fxp0 setup keep-state ${fwcmd} add pass udp from any to any 1863,2001-2120,6801,6891-6901,7801-7825 in via fxp0 keep-state # additional h323,yahoo,remote admin,vnc ports ${fwcmd} add pass tcp from any to any 1719-1725,2082,5000-6000,8010,8100 in via fxp0 setup keep-state ${fwcmd} add pass udp from any to any 1719-1725,2082,5000-6000,8010,8100 in via fxp0 keep-state # Allowing mysql,Jabber,IRC,chat. ${fwcmd} add pass tcp from any to any 3306,4899,6155,6502,6667,8000 in via fxp0 setup keep-state ${fwcmd} add pass udp from any to any 3306,4899,6155,6502,6667,8000 in via fxp0 keep-state # allow radius ${fwcmd} add pass tcp from any to any 1645,1646,1812,1813,9000-9002 in via fxp0 setup keep-state ${fwcmd} add pass udp from any to any 1645,1646,1812,1813,9000-9002 in via fxp0 keep-state # additional eMule ports ${fwcmd} add pass tcp from any to any 2323,4242,4243,4661-4672,7700-7800 in via fxp0 setup keep-state ${fwcmd} add pass udp from any to any 2323,4242,4243,4661-4672,7700-7800 in via fxp0 keep-state # Allowing DNS lookups. ${fwcmd} add pass tcp from any to any 53 in via fxp0 setup keep-state ${fwcmd} add pass udp from any to any 53 in via fxp0 keep-state ${fwcmd} add pass udp from any 53 to any in via fxp0 keep-state ${fwcmd} add pass icmp from 202.179.x.x/19 to any icmptypes 0,3,4,8,11,12 ${fwcmd} add pass icmp from not 202.179.x.x/19 to 202.179.x.x/19 icmptypes 0,3,4,11,12 # Allowing SOCKS,HTTP proxy to outside only ${fwcmd} add pass tcp from 202.179.x.x/19 to any 1080,8080 in via fxp0 setup keep-state ${fwcmd} add pass udp from 202.179.x.x/19 to any 1080,8080 in via fxp0 keep-state # Allow the bridge machine to say anything it wants ${fwcmd} add pass tcp from 202.179.x.x to any setup keep-state ${fwcmd} add pass udp from 202.179.x.x to any keep-state ${fwcmd} add pass ip from 202.179.x.x to any ${fwcmd} add pass tcp from any to any in via fxp2 setup keep-state ${fwcmd} add pass udp from any to any in via fxp2 keep-state ${fwcmd} add pass ip from any to any in via fxp2 # Allow NTP queries out in the world ${fwcmd} add pass udp from any to any 123 in via fxp0 keep-state # allow multicast ${fwcmd} add pass all from 202.179.x.x/19 to 224.0.0.0/4 via fxp0 ${fwcmd} add pass all from 224.0.0.0/4 to 202.179.x.x/19 via fxp0 # Allowing OSPF ${fwcmd} add pass ospf from any to any # Allowing GRE ${fwcmd} add pass gre from any to any # Allowing IP fragments to pass through. ${fwcmd} add 65001 pass all from any to any frag # Everything else is suspect ${fwcmd} add drop log ip from any to any ... ----------------------------------------------------------------------------------------------------------------------------- /etc/sysctl.conf file. ----------------------------------------------------------------------------------------------------------------------------- net.link.ether.bridge_cfg=fxp0:0,fxp1:0 net.link.ether.bridge_ipfw=1 net.link.ether.bridge.enable=1 net.inet.ip.fw.one_pass=0 security.bsd.see_other_uids=0 net.link.ether.inet.max_age=1200 kern.ipc.somaxconn=1024 net.inet.tcp.sendspace=32768 net.inet.tcp.recvspace=32768 net.inet.ip.sourceroute=0 net.inet.ip.accept_sourceroute=0 # Stop broadcast ECHO response net.inet.icmp.bmcastecho=0 # Stop other broadcast probes net.inet.icmp.maskrepl=0 net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 net.inet.ip.fw.dyn_max=8192 net.inet.ip.fw.dyn_ack_lifetime=3600 net.inet.ip.fw.dyn_udp_lifetime=10 net.inet.ip.fw.dyn_buckets=1024 ----------------------------------------------------------------------------------------------------------------------------- tia, Ganbold From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 4 13:25:26 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70B0016A4CE for ; Sun, 4 Jan 2004 13:25:26 -0800 (PST) Received: from p3.saignon.net (66-146-166-52.skyriver.net [66.146.166.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 527E643D1D for ; Sun, 4 Jan 2004 13:25:25 -0800 (PST) (envelope-from tony@saign.com) Received: (qmail 61787 invoked by uid 1003); 4 Jan 2004 21:01:59 -0000 Received: from tony@saign.com by p3.saignon.net by uid 89 with qmail-scanner-1.20 (clamscan: 0.60. spamassassin: 2.55. Clear:RC:1(127.0.0.1):. Processed in 0.02041 secs); 04 Jan 2004 21:01:59 -0000 Received: from unknown (HELO p3.saignon.net) (127.0.0.1) by localhost.saignon.net with SMTP; 4 Jan 2004 21:01:58 -0000 Received: from 66.146.166.53 (SquirrelMail authenticated user tony@saign.com) by p3.saignon.net with HTTP; Sun, 4 Jan 2004 13:01:58 -0800 (PST) Message-ID: <3466.66.146.166.53.1073250118.squirrel@p3.saignon.net> Date: Sun, 4 Jan 2004 13:01:58 -0800 (PST) From: tony@saign.com To: ipfw@freebsd.org User-Agent: SquirrelMail/1.4.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: bw limit of http downloads? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jan 2004 21:25:26 -0000 I've been toying with the idea of limiting port 80 downloads from my box. Seems some people can't be polite, and do it themselves?? Is their a quick way using a single pipe/queue to restrict port 80 to say 128K downloads? Thanks, -Tony From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 4 14:48:55 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9E6C16A4CE for ; Sun, 4 Jan 2004 14:48:55 -0800 (PST) Received: from deliver.epitech.net (deliver.epitech.net [163.5.0.25]) by mx1.FreeBSD.org (Postfix) with SMTP id C577743D46 for ; Sun, 4 Jan 2004 14:48:52 -0800 (PST) (envelope-from le-hen_j@epita.fr) Received: from epita.fr ([10.42.1.60]) by deliver.epitech.net (SAVSMTP 3.1.2.35) with SMTP id M2004010423473714624 ; Sun, 04 Jan 2004 23:47:37 +0100 Received: from carpediem (carpediem.epita.fr [10.42.42.5]) by epita.fr id i04MmmM09790 Sun, 4 Jan 2004 23:48:48 +0100 (CET) Date: Sun, 4 Jan 2004 23:48:48 +0100 From: Jeremie LE HEN To: tony@saign.com Message-ID: <20040104224848.GC537@carpediem.epita.fr> References: <3466.66.146.166.53.1073250118.squirrel@p3.saignon.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3466.66.146.166.53.1073250118.squirrel@p3.saignon.net> User-Agent: Mutt/1.4i cc: ipfw@freebsd.org Subject: Re: bw limit of http downloads? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Jan 2004 22:48:55 -0000 > I've been toying with the idea of limiting port 80 downloads from my box. > Seems some people can't be polite, and do it themselves?? > > Is their a quick way using a single pipe/queue to restrict port 80 to say > 128K downloads? Reading the ipfw(8) manual page would have been a great help... Supposing your interface to Internet is tun0 : $ ipfw pipe 1 config bw 128KBytes/s $ ipfw add pipe 1 tcp from any 80 to any in via tun0 -- Jeremie LE HEN aka TtZ/TataZ jeremie.le-hen@epita.fr ttz@epita.fr Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 4 16:52:36 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C28E516A4CE; Sun, 4 Jan 2004 16:52:36 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id B80B543D2F; Sun, 4 Jan 2004 16:52:31 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.24; FreeBSD 5.1) id 1AdIuH-000CV6-29; Mon, 05 Jan 2004 08:47:45 +0800 Message-Id: <6.0.1.1.2.20040105085202.029b8820@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Mon, 05 Jan 2004 08:56:13 +0800 To: Don Bowman From: Ganbold In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-ipfw@freebsd.org cc: freebsd-hackers@freebsd.org Subject: RE: ipfw2 problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2004 00:52:37 -0000 Hi, How much memory does your machine have? I have never tried ipfw with -d option. I'll try next time. Actually one_pass is already turned off in sysctl.conf Any other recommendations? One suggested me to remove keep-state from http filtering rules. Will it solve the problem? Ganbold At 01:41 AM 05.01.2004, you wrote: >i have: > >sysctl net.inet.ip.fw.dyn_buckets=16384 >sysctl net.inet.ip.fw.dyn_syn_lifetime=5 >sysctl net.inet.ip.fw.dyn_max=32000 >sysctl net.inet.ip.fw.debug=0 >sysctl net.inet.ip.dummynet.max_chain_len=256 >sysctl net.inet.ip.dummynet.hash_size=1024 >sysctl net.inet.ip.fw.verbose_limit=1 > >and am running ~3000 users with ~2 sessions each, stateful, with shaping. > >i wonder what you get if you run ipfw -d show when your error happens? > >i wonder if your shaper is getting full and droping the syn packets that >setup the flow? maybe if you put the shaper rules @ the end and turned off >one-pass? > > > -----Original Message----- > > From: Ganbold [mailto:ganbold@micom.mng.net] > > Sent: January 4, 2004 4:32 AM > > To: freebsd-ipfw@freebsd.org > > Cc: freebsd-hackers@freebsd.org > > Subject: ipfw2 problem > > > > > > Hi, > > > > I'm using FreeBSD 5.2-current machine for firewall. It is > > configured as a > > bridged ipfw2 firewall. > > Also this machine works a a traffic shaper using ip dummynet features. > > The machine has 2GHz Pentium 4 CPU and 128MB RAM and 3 Intel > > Pro 100MB > > cards. 2 cards are used > > for bridging. > > Everything works fine, except sometimes it seems to be > > dropping some packets. > > When I try to browse the web, sometimes it just shows error > > page. This > > situation happens during peak hours > > So my guess is firewall drops packets and maybe the machine > > needs more RAM. > > Another guess is I'm using stateful features of ipfw2 and > > when dynamic rule > > count reaches maximum > > it just drops packets waiting to be deleted some dynamic > > rules. Am I right? > > Can somebody explain > > me what will happen when net.inet.ip.fw.dyn_count reaches > > net.inet.ip.fw.dyn_max value? > > > > Also I tried to increase the maximum value up to 8192 but it > > seems no result. > > > > # Added in sysctl.conf > > net.inet.ip.fw.dyn_max=8192 > > > > I attached my /etc/rc.firewall and /etc/sysctl.conf files. > > Can somebody tell me where I did wrong in config files? > > Should I increase > > the RAM? > > Or should I set smaller life time for dynamic rules? > > > > I hope somebody in this list point me to the right direction. > > > > Part of the /etc/rc.firewall > > -------------------------------------------------------------- > > --------------------------------------------------------------- > > ... > > [Cc][Uu][Ss][Tt][Oo][Mm]) > > > > ${fwcmd} -f flush > > ${fwcmd} -f pipe flush > > > > # Things that we have kept state on before get to go through > > in a hurry > > ${fwcmd} add 10 check-state > > > > ${fwcmd} add 21 deny all from 10.0.0.0/8 to any via fxp0 > > ${fwcmd} add 23 deny all from 172.16.0.0/12 to any via fxp0 > > ${fwcmd} add 25 deny all from 192.168.0.0/16 to any via fxp0 > > > > ${fwcmd} add 34 deny all from 127.0.0.0/8 to any in via fxp0 > > > > ################### stop Welcia/Nachi ########################### > > ${fwcmd} add 35 deny icmp from any to any iplen 92 > > > > ####################### DUMMYNET config ######################### > > > > ##################### 64KB ####################################### > > # > > # selenge > > ${fwcmd} pipe 41 config bw 64kbit/s > > ${fwcmd} pipe 42 config bw 64kbit/s > > ${fwcmd} add 62 pipe 41 all from 202.179.x.x/30 to any in via fxp1 > > ${fwcmd} add 63 pipe 42 all from any to 202.179.x.x/30 in via fxp0 > > > > # khentii > > ${fwcmd} pipe 43 config bw 64kbit/s > > ${fwcmd} pipe 44 config bw 64kbit/s > > ${fwcmd} add 64 pipe 43 all from 202.179.x.x/30 to any in via fxp1 > > ${fwcmd} add 65 pipe 44 all from any to 202.179.x.x/30 in via fxp0 > > > > # arkhangai > > ${fwcmd} pipe 45 config bw 64kbit/s > > ${fwcmd} pipe 46 config bw 64kbit/s > > ${fwcmd} add 66 pipe 45 all from 202.179.x.x/30 to any in via fxp1 > > ${fwcmd} add 67 pipe 46 all from any to 202.179.x.x/30 in via fxp0 > > > > # traffic police > > ${fwcmd} pipe 47 config bw 64kbit/s > > ${fwcmd} pipe 48 config bw 64kbit/s > > ${fwcmd} add 68 pipe 47 all from > > 202.179.x.x/30,202.179.x.x/28 to any in > > via fxp1 > > ${fwcmd} add 69 pipe 48 all from any to > > 202.179.x.x/30,202.179.x.x/28 in > > via fxp0 > > > > ##################### 128KB ####################################### > > # > > # glencore > > ${fwcmd} pipe 49 config bw 128kbit/s > > ${fwcmd} pipe 50 config bw 128kbit/s > > ${fwcmd} add 70 pipe 49 all from > > 202.179.x.x/29,202.179.x.x/30 to any in > > via fxp1 > > ${fwcmd} add 71 pipe 50 all from any to > > 202.179.x.x/29,202.179.x.x/30 in > > via fxp0 > > > > # ikh tenger > > ${fwcmd} pipe 51 config bw 128kbit/s > > ${fwcmd} pipe 52 config bw 128kbit/s > > ${fwcmd} add 72 pipe 51 all from 202.179.x.x/29 to any in via fxp1 > > ${fwcmd} add 73 pipe 52 all from any to 202.179.x.x/29 in via fxp0 > > > > # xas > > ${fwcmd} pipe 53 config bw 128kbit/s > > ${fwcmd} pipe 54 config bw 128kbit/s > > ${fwcmd} add 74 pipe 53 all from > > 202.179.x.x/29,202.179.x.x/30 to any in > > via fxp1 > > ${fwcmd} add 75 pipe 54 all from any to > > 202.179.x.x/29,202.179.x.x/30 in > > via fxp0 > > > > > > ##################### 256KB ####################################### > > #mtc > > ${fwcmd} pipe 55 config bw 256kbit/s > > ${fwcmd} pipe 56 config bw 256kbit/s > > > > ${fwcmd} add 76 pipe 55 all from > > 202.179.x.x/30,202.179.x.x/29 to any in > > via fxp1 > > ${fwcmd} add 77 pipe 56 all from any to > > 202.179.x.x/30,202.179.x.x/29 in > > via fxp0 > > > > #gtz > > ${fwcmd} pipe 57 config bw 256kbit/s > > ${fwcmd} pipe 58 config bw 256kbit/s > > > > ${fwcmd} add 78 pipe 57 all from 202.179.x.x/28 to any in via fxp1 > > ${fwcmd} add 79 pipe 58 all from any to 202.179.x.x/28 in via fxp0 > > > > ######################### STANDARDS ######################### > > # Allow TCP through if setup succeeded > > ${fwcmd} add 100 pass tcp from any to any established > > > > # Allowing connections through localhost. > > ${fwcmd} add 300 pass all from any to any via lo0 > > > > # pass ARP > > ${fwcmd} add 301 allow layer2 mac-type arp > > > > # Allow the inside hosts to say anything they want > > ${fwcmd} add pass tcp from any to any in via fxp1 setup keep-state > > ${fwcmd} add pass udp from any to any in via fxp1 keep-state > > ${fwcmd} add pass ip from any to any in via fxp1 > > > > # Allowing SSH,web connection and LOG all incoming connections. > > ${fwcmd} add pass tcp from any to any 22 in via fxp0 setup keep-state > > ${fwcmd} add pass tcp from any to any 80,443 in via fxp0 > > setup keep-state > > > > # Allowing and LOG all INCOMING, outgoing FTP, telnet, SMTP, > > POP3, ident, > > imap conections. > > ${fwcmd} add pass tcp from any to any 20-21,23,25,110,113,143 in via > > fxp0 setup keep-state > > ${fwcmd} add pass udp from any to any 20-21,23,25,110,113,143 > > in via fxp0 > > keep-state > > > > # Pass the "quarantine" range > > ${fwcmd} add pass tcp from any to any 18198,18211,40000-65535 > > in via fxp0 > > setup keep-state > > ${fwcmd} add pass udp from any to any 18198,18211,40000-65535 > > in via fxp0 > > keep-state > > > > # MSN, Yahoo ports > > ${fwcmd} add pass tcp from any to any > > 1863,2001-2120,6801,6891-6901,7801-7825 in via fxp0 setup keep-state > > ${fwcmd} add pass udp from any to any > > 1863,2001-2120,6801,6891-6901,7801-7825 in via fxp0 keep-state > > > > # additional h323,yahoo,remote admin,vnc ports > > ${fwcmd} add pass tcp from any to any > > 1719-1725,2082,5000-6000,8010,8100 in > > via fxp0 setup keep-state > > ${fwcmd} add pass udp from any to any > > 1719-1725,2082,5000-6000,8010,8100 in > > via fxp0 keep-state > > > > # Allowing mysql,Jabber,IRC,chat. > > ${fwcmd} add pass tcp from any to any > > 3306,4899,6155,6502,6667,8000 in via > > fxp0 setup keep-state > > ${fwcmd} add pass udp from any to any > > 3306,4899,6155,6502,6667,8000 in via > > fxp0 keep-state > > > > # allow radius > > ${fwcmd} add pass tcp from any to any > > 1645,1646,1812,1813,9000-9002 in via > > fxp0 setup keep-state > > ${fwcmd} add pass udp from any to any > > 1645,1646,1812,1813,9000-9002 in via > > fxp0 keep-state > > > > # additional eMule ports > > ${fwcmd} add pass tcp from any to any > > 2323,4242,4243,4661-4672,7700-7800 in > > via fxp0 setup keep-state > > ${fwcmd} add pass udp from any to any > > 2323,4242,4243,4661-4672,7700-7800 in > > via fxp0 keep-state > > > > # Allowing DNS lookups. > > ${fwcmd} add pass tcp from any to any 53 in via fxp0 setup keep-state > > ${fwcmd} add pass udp from any to any 53 in via fxp0 keep-state > > ${fwcmd} add pass udp from any 53 to any in via fxp0 keep-state > > > > ${fwcmd} add pass icmp from 202.179.x.x/19 to any icmptypes > > 0,3,4,8,11,12 > > ${fwcmd} add pass icmp from not 202.179.x.x/19 to > > 202.179.x.x/19 icmptypes > > 0,3,4,11,12 > > > > # Allowing SOCKS,HTTP proxy to outside only > > ${fwcmd} add pass tcp from 202.179.x.x/19 to any 1080,8080 in via > > fxp0 setup keep-state > > ${fwcmd} add pass udp from 202.179.x.x/19 to any 1080,8080 in > > via fxp0 > > keep-state > > > > # Allow the bridge machine to say anything it wants > > ${fwcmd} add pass tcp from 202.179.x.x to any setup keep-state > > ${fwcmd} add pass udp from 202.179.x.x to any keep-state > > ${fwcmd} add pass ip from 202.179.x.x to any > > > > ${fwcmd} add pass tcp from any to any in via fxp2 setup keep-state > > ${fwcmd} add pass udp from any to any in via fxp2 keep-state > > ${fwcmd} add pass ip from any to any in via fxp2 > > > > # Allow NTP queries out in the world > > ${fwcmd} add pass udp from any to any 123 in via fxp0 keep-state > > > > # allow multicast > > ${fwcmd} add pass all from 202.179.x.x/19 to 224.0.0.0/4 via fxp0 > > ${fwcmd} add pass all from 224.0.0.0/4 to 202.179.x.x/19 via fxp0 > > > > # Allowing OSPF > > ${fwcmd} add pass ospf from any to any > > > > # Allowing GRE > > ${fwcmd} add pass gre from any to any > > > > # Allowing IP fragments to pass through. > > ${fwcmd} add 65001 pass all from any to any frag > > > > # Everything else is suspect > > ${fwcmd} add drop log ip from any to any > > ... > > -------------------------------------------------------------- > > --------------------------------------------------------------- > > > > /etc/sysctl.conf file. > > -------------------------------------------------------------- > > --------------------------------------------------------------- > > net.link.ether.bridge_cfg=fxp0:0,fxp1:0 > > net.link.ether.bridge_ipfw=1 > > net.link.ether.bridge.enable=1 > > > > net.inet.ip.fw.one_pass=0 > > security.bsd.see_other_uids=0 > > net.link.ether.inet.max_age=1200 > > kern.ipc.somaxconn=1024 > > net.inet.tcp.sendspace=32768 > > net.inet.tcp.recvspace=32768 > > > > net.inet.ip.sourceroute=0 > > net.inet.ip.accept_sourceroute=0 > > > > # Stop broadcast ECHO response > > net.inet.icmp.bmcastecho=0 > > > > # Stop other broadcast probes > > net.inet.icmp.maskrepl=0 > > > > net.inet.tcp.blackhole=2 > > net.inet.udp.blackhole=1 > > > > net.inet.ip.fw.dyn_max=8192 > > net.inet.ip.fw.dyn_ack_lifetime=3600 > > net.inet.ip.fw.dyn_udp_lifetime=10 > > net.inet.ip.fw.dyn_buckets=1024 > > > > -------------------------------------------------------------- > > --------------------------------------------------------------- > > > > tia, > > > > Ganbold > > > > _______________________________________________ > > freebsd-hackers@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > > To unsubscribe, send any mail to > > "freebsd-hackers-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 4 18:01:57 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6990D16A4CE for ; Sun, 4 Jan 2004 18:01:57 -0800 (PST) Received: from exchange.wan.no (exchange.wan.no [80.86.128.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A4EC43D1D for ; Sun, 4 Jan 2004 18:01:51 -0800 (PST) (envelope-from sten.daniel.sorsdal@wan.no) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Date: Mon, 5 Jan 2004 03:01:49 +0100 Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F5D9518@exchange.wanglobal.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ipfw2 problem Thread-Index: AcPSpU0PbBQzY19UScO/yi5cJk1lXAAh/zGA From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= To: "Ganbold" , Subject: RE: ipfw2 problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2004 02:01:57 -0000 First, although this probably wont help you, this might help someone = else optimize their ipfw2 ruleset. I see alot of 'in via' which doesnt mean what i suspect you believe it = means. 'in via' is two separate options.=20 'in' means it matches when packet is incoming. 'via' means it matches when packet is either received or transmitted on = said interface. try replacing them with 'in recv' (and 'out xmit' when it's 'out via'). Optimize your rules to do less checks; > ${fwcmd} add 21 deny all from 10.0.0.0/8 to any via fxp0=20 > ${fwcmd} add 23 deny all from 172.16.0.0/12 to any via fxp0=20 > ${fwcmd} add 25 deny all from 192.168.0.0/16 to any via fxp0 could be written as; ${fwcmd} add 21 deny via fxp0 src-ip = 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 Now it would drop packets from above nets when a packet enters or exits = fxp0. Also if i'm not mistaken 'via fxp0' is less expensive than 'src-ip' so = it should go first. A side note, you could also reorder your rules so that it looks somewhat = like this. add 100 allow via lo0 add 100 check-state add 101 deny proto icmp iplen 92 add 102 skipto 1000 via fxp0 add 103 skipto 2000 via fxp1 ... add 1000 [ handle rules going in and out on fxp0 here ] ... add 2000 [ handle rules going in and out on fxp1 here ]=20 ... This way you dont have to do via/recv/xmit checks on each rule and = packets=20 not concerned with that interface doesnt get checked. Also bridged packets only get checked on 'incoming', - this might have = changed in 5.0. Someone please correct me if i'm wrong. // Sten >=20 > ${fwcmd} add 34 deny all from 127.0.0.0/8 to any in via fxp0 >=20 > ################### stop Welcia/Nachi=20 > ########################### ${fwcmd} add 35 deny icmp from=20 > any to any iplen 92 >=20 > ####################### DUMMYNET config ######################### >=20 > ##################### 64KB ####################################### > # > # selenge > ${fwcmd} pipe 41 config bw 64kbit/s > ${fwcmd} pipe 42 config bw 64kbit/s > ${fwcmd} add 62 pipe 41 all from 202.179.x.x/30 to any in via=20 > fxp1 ${fwcmd} add 63 pipe 42 all from any to 202.179.x.x/30=20 > in via fxp0 >=20 > # khentii > ${fwcmd} pipe 43 config bw 64kbit/s > ${fwcmd} pipe 44 config bw 64kbit/s > ${fwcmd} add 64 pipe 43 all from 202.179.x.x/30 to any in via=20 > fxp1 ${fwcmd} add 65 pipe 44 all from any to 202.179.x.x/30=20 > in via fxp0 >=20 > # arkhangai > ${fwcmd} pipe 45 config bw 64kbit/s > ${fwcmd} pipe 46 config bw 64kbit/s > ${fwcmd} add 66 pipe 45 all from 202.179.x.x/30 to any in via=20 > fxp1 ${fwcmd} add 67 pipe 46 all from any to 202.179.x.x/30=20 > in via fxp0 >=20 > # traffic police > ${fwcmd} pipe 47 config bw 64kbit/s > ${fwcmd} pipe 48 config bw 64kbit/s > ${fwcmd} add 68 pipe 47 all from=20 > 202.179.x.x/30,202.179.x.x/28 to any in via fxp1 ${fwcmd} add=20 > 69 pipe 48 all from any to 202.179.x.x/30,202.179.x.x/28 in via fxp0 >=20 > ##################### 128KB ####################################### > # > # glencore > ${fwcmd} pipe 49 config bw 128kbit/s > ${fwcmd} pipe 50 config bw 128kbit/s > ${fwcmd} add 70 pipe 49 all from=20 > 202.179.x.x/29,202.179.x.x/30 to any in via fxp1 ${fwcmd} add=20 > 71 pipe 50 all from any to 202.179.x.x/29,202.179.x.x/30 in via fxp0 >=20 > # ikh tenger > ${fwcmd} pipe 51 config bw 128kbit/s > ${fwcmd} pipe 52 config bw 128kbit/s > ${fwcmd} add 72 pipe 51 all from 202.179.x.x/29 to any in via=20 > fxp1 ${fwcmd} add 73 pipe 52 all from any to 202.179.x.x/29=20 > in via fxp0 >=20 > # xas > ${fwcmd} pipe 53 config bw 128kbit/s > ${fwcmd} pipe 54 config bw 128kbit/s > ${fwcmd} add 74 pipe 53 all from=20 > 202.179.x.x/29,202.179.x.x/30 to any in via fxp1 ${fwcmd} add=20 > 75 pipe 54 all from any to 202.179.x.x/29,202.179.x.x/30 in via fxp0 >=20 >=20 > ##################### 256KB ####################################### > #mtc > ${fwcmd} pipe 55 config bw 256kbit/s > ${fwcmd} pipe 56 config bw 256kbit/s >=20 > ${fwcmd} add 76 pipe 55 all from=20 > 202.179.x.x/30,202.179.x.x/29 to any in via fxp1 ${fwcmd} add=20 > 77 pipe 56 all from any to 202.179.x.x/30,202.179.x.x/29 in via fxp0 >=20 > #gtz > ${fwcmd} pipe 57 config bw 256kbit/s > ${fwcmd} pipe 58 config bw 256kbit/s >=20 > ${fwcmd} add 78 pipe 57 all from 202.179.x.x/28 to any in via=20 > fxp1 ${fwcmd} add 79 pipe 58 all from any to 202.179.x.x/28=20 > in via fxp0 >=20 > ######################### STANDARDS #########################=20 > # Allow TCP through if setup succeeded ${fwcmd} add 100 pass=20 > tcp from any to any established >=20 > # Allowing connections through localhost. > ${fwcmd} add 300 pass all from any to any via lo0 >=20 > # pass ARP > ${fwcmd} add 301 allow layer2 mac-type arp >=20 > # Allow the inside hosts to say anything they want ${fwcmd}=20 > add pass tcp from any to any in via fxp1 setup keep-state=20 > ${fwcmd} add pass udp from any to any in via fxp1 keep-state=20 > ${fwcmd} add pass ip from any to any in via fxp1 >=20 > # Allowing SSH,web connection and LOG all incoming connections. > ${fwcmd} add pass tcp from any to any 22 in via fxp0 setup=20 > keep-state ${fwcmd} add pass tcp from any to any 80,443 in=20 > via fxp0 setup keep-state >=20 > # Allowing and LOG all INCOMING, outgoing FTP, telnet, SMTP,=20 > POP3, ident, imap conections. > ${fwcmd} add pass tcp from any to any 20-21,23,25,110,113,143=20 > in via fxp0 setup keep-state ${fwcmd} add pass udp from any=20 > to any 20-21,23,25,110,113,143 in via fxp0 keep-state >=20 > # Pass the "quarantine" range > ${fwcmd} add pass tcp from any to any 18198,18211,40000-65535=20 > in via fxp0 setup keep-state ${fwcmd} add pass udp from any=20 > to any 18198,18211,40000-65535 in via fxp0 keep-state >=20 > # MSN, Yahoo ports > ${fwcmd} add pass tcp from any to any > 1863,2001-2120,6801,6891-6901,7801-7825 in via fxp0 setup=20 > keep-state ${fwcmd} add pass udp from any to any > 1863,2001-2120,6801,6891-6901,7801-7825 in via fxp0 keep-state >=20 > # additional h323,yahoo,remote admin,vnc ports ${fwcmd} add=20 > pass tcp from any to any 1719-1725,2082,5000-6000,8010,8100=20 > in via fxp0 setup keep-state ${fwcmd} add pass udp from any=20 > to any 1719-1725,2082,5000-6000,8010,8100 in via fxp0 keep-state >=20 > # Allowing mysql,Jabber,IRC,chat. > ${fwcmd} add pass tcp from any to any=20 > 3306,4899,6155,6502,6667,8000 in via fxp0 setup keep-state=20 > ${fwcmd} add pass udp from any to any=20 > 3306,4899,6155,6502,6667,8000 in via fxp0 keep-state >=20 > # allow radius > ${fwcmd} add pass tcp from any to any=20 > 1645,1646,1812,1813,9000-9002 in via fxp0 setup keep-state=20 > ${fwcmd} add pass udp from any to any=20 > 1645,1646,1812,1813,9000-9002 in via fxp0 keep-state >=20 > # additional eMule ports > ${fwcmd} add pass tcp from any to any=20 > 2323,4242,4243,4661-4672,7700-7800 in via fxp0 setup=20 > keep-state ${fwcmd} add pass udp from any to any=20 > 2323,4242,4243,4661-4672,7700-7800 in via fxp0 keep-state >=20 > # Allowing DNS lookups. > ${fwcmd} add pass tcp from any to any 53 in via fxp0 setup=20 > keep-state ${fwcmd} add pass udp from any to any 53 in via=20 > fxp0 keep-state ${fwcmd} add pass udp from any 53 to any in=20 > via fxp0 keep-state >=20 > ${fwcmd} add pass icmp from 202.179.x.x/19 to any icmptypes=20 > 0,3,4,8,11,12 ${fwcmd} add pass icmp from not 202.179.x.x/19=20 > to 202.179.x.x/19 icmptypes > 0,3,4,11,12 >=20 > # Allowing SOCKS,HTTP proxy to outside only ${fwcmd} add pass=20 > tcp from 202.179.x.x/19 to any 1080,8080 in via fxp0 setup=20 > keep-state ${fwcmd} add pass udp from 202.179.x.x/19 to any=20 > 1080,8080 in via fxp0 keep-state >=20 > # Allow the bridge machine to say anything it wants ${fwcmd}=20 > add pass tcp from 202.179.x.x to any setup keep-state=20 > ${fwcmd} add pass udp from 202.179.x.x to any keep-state=20 > ${fwcmd} add pass ip from 202.179.x.x to any >=20 > ${fwcmd} add pass tcp from any to any in via fxp2 setup=20 > keep-state ${fwcmd} add pass udp from any to any in via fxp2=20 > keep-state ${fwcmd} add pass ip from any to any in via fxp2 >=20 > # Allow NTP queries out in the world > ${fwcmd} add pass udp from any to any 123 in via fxp0 keep-state >=20 > # allow multicast > ${fwcmd} add pass all from 202.179.x.x/19 to 224.0.0.0/4 via=20 > fxp0 ${fwcmd} add pass all from 224.0.0.0/4 to 202.179.x.x/19 via fxp0 >=20 > # Allowing OSPF > ${fwcmd} add pass ospf from any to any >=20 > # Allowing GRE > ${fwcmd} add pass gre from any to any >=20 > # Allowing IP fragments to pass through. > ${fwcmd} add 65001 pass all from any to any frag >=20 > # Everything else is suspect > ${fwcmd} add drop log ip from any to any ... > -------------------------------------------------------------- > --------------------------------------------------------------- >=20 > /etc/sysctl.conf file. > -------------------------------------------------------------- > --------------------------------------------------------------- > net.link.ether.bridge_cfg=3Dfxp0:0,fxp1:0 > net.link.ether.bridge_ipfw=3D1 > net.link.ether.bridge.enable=3D1 >=20 > net.inet.ip.fw.one_pass=3D0 > security.bsd.see_other_uids=3D0 > net.link.ether.inet.max_age=3D1200 > kern.ipc.somaxconn=3D1024 > net.inet.tcp.sendspace=3D32768 > net.inet.tcp.recvspace=3D32768 >=20 > net.inet.ip.sourceroute=3D0 > net.inet.ip.accept_sourceroute=3D0 >=20 > # Stop broadcast ECHO response > net.inet.icmp.bmcastecho=3D0 >=20 > # Stop other broadcast probes > net.inet.icmp.maskrepl=3D0 >=20 > net.inet.tcp.blackhole=3D2 > net.inet.udp.blackhole=3D1 >=20 > net.inet.ip.fw.dyn_max=3D8192 > net.inet.ip.fw.dyn_ack_lifetime=3D3600 > net.inet.ip.fw.dyn_udp_lifetime=3D10 > net.inet.ip.fw.dyn_buckets=3D1024 >=20 > -------------------------------------------------------------- > --------------------------------------------------------------- >=20 > tia, >=20 > Ganbold >=20 > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to=20 > "freebsd-ipfw-unsubscribe@freebsd.org" >=20 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 5 11:03:34 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A50F16A4CE for ; Mon, 5 Jan 2004 11:03:34 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 77F2D43DA9 for ; Mon, 5 Jan 2004 11:02:11 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.10/8.12.10) with ESMTP id i05J1uFR016456 for ; Mon, 5 Jan 2004 11:01:56 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i05J1u9l016450 for ipfw@freebsd.org; Mon, 5 Jan 2004 11:01:56 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 5 Jan 2004 11:01:56 -0800 (PST) Message-Id: <200401051901.i05J1u9l016450@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2004 19:03:34 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 5 23:32:18 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF5EC16A4CE for ; Mon, 5 Jan 2004 23:32:18 -0800 (PST) Received: from babyruth.hotpop.com (babyruth.hotpop.com [204.57.55.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C11143D1F for ; Mon, 5 Jan 2004 23:32:17 -0800 (PST) (envelope-from dragon@phreaker.net) Received: from phreaker.net (kubrick.hotpop.com [204.57.55.16]) by babyruth.hotpop.com (Postfix) with SMTP id 9D1B6211563 for ; Tue, 6 Jan 2004 07:27:56 +0000 (UTC) Received: from dragonlord (cpe-64-4-106-185.carters-hsw.ntelos.net [64.4.106.185]) by smtp-2.hotpop.com (Postfix) with ESMTP id E792B1800A9 for ; Tue, 6 Jan 2004 07:27:52 +0000 (UTC) Message-ID: <200401060232090840.06D4EA3A@smtp.phreaker.net> In-Reply-To: <20040105200045.553EA16A4F2@hub.freebsd.org> References: <20040105200045.553EA16A4F2@hub.freebsd.org> X-Mailer: Calypso Version 3.30.00.00 (4) Date: Tue, 06 Jan 2004 02:32:09 -0500 From: "Dragon" To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-HotPOP: ----------------------------------------------- Sent By HotPOP.com FREE Email Get your FREE POP email at www.HotPOP.com ----------------------------------------------- Subject: Re: bw limit of http downloads? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2004 07:32:18 -0000 >Message: 1 >Date: Sun, 4 Jan 2004 13:01:58 -0800 (PST) >From: tony@saign.com >Subject: bw limit of http downloads? >To: ipfw@freebsd.org >Message-ID: <3466.66.146.166.53.1073250118.squirrel@p3.saignon.net> >Content-Type: text/plain;charset=3Diso-8859-1 > >I've been toying with the idea of limiting port 80 downloads from my box. >Seems some people can't be polite, and do it themselves?? > >Is their a quick way using a single pipe/queue to restrict port 80 to say >128K downloads? > >Thanks, >-Tony Since the ipfw(8) manual page can be a little confusing for someone little experience using pipes, try the following. Let's say 1.2.3.4 is the IP address that you have your httpd running on, rule number 400 is where the piping is to placed, and dc0 is the network= interface: ipfw pipe 1 config bw 128KBytes/s mask src-ip 1.2.3.4 ipfw add 400 pipe 1 tcp from 1.2.3.4 80 to any out via dc0 You can also use address/masklen (ie. 1.2.3.4/24) in place of a single= address if you have your httpd running on multiple addresses. I hope this gives you a good example. -Alec Masters From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 6 00:57:29 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E03E116A4CE; Tue, 6 Jan 2004 00:57:29 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4E1043D2D; Tue, 6 Jan 2004 00:57:27 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.24; FreeBSD 5.1) id 1AdmxD-000Hyv-1l; Tue, 06 Jan 2004 16:52:47 +0800 Message-Id: <6.0.1.1.2.20040106165754.02a5b918@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Tue, 06 Jan 2004 17:01:11 +0800 To: freebsd-ipfw@freebsd.org From: Ganbold Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-hackers@freebsd.org Subject: dummynet question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2004 08:57:30 -0000 Hi, I'm using FreeBSD 5.2-current machine for firewall. It is configured as a bridged ipfw2 firewall. Also this machine works a a traffic shaper using ip dummynet features. I'm trying to limit bandwidth for some particular application, for example eMule p2p application. I'm doing it in the following way: # eMule ${fwcmd} pipe 59 config bw 256kbit/s ${fwcmd} pipe 60 config bw 256kbit/s ${fwcmd} add 80 pipe 59 ip from 202.179.x.x/19 to any 2323,4242,4243,4661-4672,7700-7800 in via fxp1 ${fwcmd} add 81 pipe 60 ip from any to 202.179.x.x/19 2323,4242,4243,4661-4672,7700-7800 in via fxp0 Am I doing right? tia, Ganbold From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 6 01:39:52 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD81516A4CE; Tue, 6 Jan 2004 01:39:52 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C39B43D48; Tue, 6 Jan 2004 01:39:51 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.24; FreeBSD 5.1) id 1AdncF-000IC4-V5; Tue, 06 Jan 2004 17:35:12 +0800 Message-Id: <6.0.1.1.2.20040106174330.02935ab8@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Tue, 06 Jan 2004 17:43:34 +0800 To: freebsd-ipfw@freebsd.org From: Ganbold Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-hackers@freebsd.org Subject: dummynet question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2004 09:39:53 -0000 Hi, I'm using FreeBSD 5.2-current machine for firewall. It is configured as a bridged ipfw2 firewall. Also this machine works a a traffic shaper using ip dummynet features. I'm trying to limit bandwidth for some particular application, for example eMule p2p application. I'm doing it in the following way: # eMule ${fwcmd} pipe 59 config bw 256kbit/s ${fwcmd} pipe 60 config bw 256kbit/s ${fwcmd} add 80 pipe 59 ip from 202.179.x.x/19 to any 2323,4242,4243,4661-4672,7700-7800 in via fxp1 ${fwcmd} add 81 pipe 60 ip from any to 202.179.x.x/19 2323,4242,4243,4661-4672,7700-7800 in via fxp0 Am I doing right? tia, Ganbold From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 6 07:10:15 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5290616A4CE for ; Tue, 6 Jan 2004 07:10:15 -0800 (PST) Received: from mout1.freenet.de (mout1.freenet.de [194.97.50.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 581F643D1F for ; Tue, 6 Jan 2004 07:10:13 -0800 (PST) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.136] (helo=mx3.freenet.de) by mout1.freenet.de with asmtp (Exim 4.30) id 1AdsqR-0003zE-Tr for freebsd-ipfw@freebsd.org; Tue, 06 Jan 2004 16:10:11 +0100 Received: from pd9e76596.dip.t-dialin.net ([217.231.101.150] helo=spotteswoode.dnsalias.org) by mx3.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.30 #1) id 1AdsqR-0002AX-KU for freebsd-ipfw@freebsd.org; Tue, 06 Jan 2004 16:10:11 +0100 Received: (qmail 2714 invoked by uid 0); 6 Jan 2004 15:10:32 -0000 Date: 6 Jan 2004 16:10:09 +0100 Message-ID: From: "Clemens Fischer" To: "Nolan Orwan" In-Reply-To: <3FC77330.7010702@comcast.net> (Nolan Orwan's message of "Fri, 28 Nov 2003 09:09:20 -0700") References: <20031128102120.GB34837@toudi.cisovanet.pl> <3FC77330.7010702@comcast.net> User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org Subject: Re: bridge problem II X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2004 15:10:15 -0000 * 2003-11-28 Nolan Orwan: > The problem is I can't figure out what ipfw rule or rules will allow > the inside NIC to send and receive traffic to the outside. you're looking for the term NAT = "Network Address Translation". see natd(8) and google for "freebsd natd" (repeat query with NAT instead of natd). and there's the handbook, too ... clemens From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 6 07:52:55 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F263F16A4CE for ; Tue, 6 Jan 2004 07:52:54 -0800 (PST) Received: from mail.latnet.lv (mail.latnet.lv [159.148.108.13]) by mx1.FreeBSD.org (Postfix) with SMTP id EF5E743D41 for ; Tue, 6 Jan 2004 07:52:46 -0800 (PST) (envelope-from ac-lists@latnet.lv) Received: (qmail 25671 invoked by uid 64014); 6 Jan 2004 15:52:45 -0000 Received: from ac-lists@latnet.lv by mail by uid 64011 with qmail-scanner-1.16 (clamscan: 0.54. Clear:. Processed in 0.139005 secs); 06 Jan 2004 15:52:45 -0000 Received: from unknown (HELO artis) (159.148.107.1) by mail.latnet.lv with SMTP; 6 Jan 2004 15:52:45 -0000 From: "Artis Caune" To: "'Luigi Rizzo'" Date: Tue, 6 Jan 2004 17:51:29 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <20031106033919.A65661@xorpc.icir.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcOkWsQR5BVxSiSNRvmpLbAFblGCpQwEWSzQ X-Qmail-Scanner-Message-ID: <107340436552625664@mail> Message-Id: <20040106155246.EF5E743D41@mx1.FreeBSD.org> cc: freebsd-ipfw@freebsd.org Subject: RE: loading lot of rules takes very long time X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2004 15:52:55 -0000 Happy new year! Back to old topic... I found solution to my problem ! we really need 10000++ rules. ;) I wrote my own traffic shaper: kld module. It attach to ip filter 'fr_checkp' function pointer. It use binary tree to match IP packets, and it always match in 32 steps. It then use CISCO CAR (token bucket) algorithm to shape (rate limit) traffic. It can use CISCO 'compounded debt' algorithm to simulate RED ;) It don't use queues, it don't add delays. It shape very close to configured rate. Grr, and it works in bridge mode. I can load 30000 rules on PII 300 box in 1-2 seconds. Yeh, that's seconds, not hours ;) config file is very simple: > interface em0 in dst-ip > pipe test 64KB > 10.0.0.0/24 pipe test > 192.168.0.1/32 pipe test All works great!!! Totaly about 1500 lines of kernel/userland code. cheers Artis -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Luigi Rizzo Sent: ceturtdiena, 2003. gada 6. novembri 13:39 To: Artis Caune Cc: freebsd-ipfw@freebsd.org Subject: Re: loading lot of rules takes very long time most likely, because you are not using "-n", the printing code will use the nameserver to try and resolve addresses, and if halfway through you are limiting/blocking access to the nameserver you incur in timeouts. To tell the truth i suspect you have a quite poorly designed ruleset if you are adding individual rules and pipes for each client. Almost surely you should make use of masks in pipes, and address sets in rules, to reduce the size of your ruleset to something manageable and efficient. cheers luigi On Thu, Nov 06, 2003 at 01:04:31PM +0200, Artis Caune wrote: > Hello, > > We have about 10000-20000 pipes for > different subnets, and it takes very long > time to load them - about 10-15min. > > 92.8% interrupt, 0.0% idle > > strange that things slow down when count > reaches 2000-2500 rules. > > is there something we can do to speed things up? > > rules are added like: > ipfw -q add 1 pipe 1 src-ip 1.1.1.1 out via em0 > ipfw pipe 1 config bw 30Kbytes/s queue 10 > ... > soo 'ipfw' is invoked '2 x client_count' !!! > > maybe ipfw need feature like: > ipfw -f /etc/rc.firewall > > > > # FreeBSD-4.9, IPFW2, > # HZ=2000, DEVICE_POLLING, > # 1G RAM, 2.4xeon on Intel server board > > > > > > ..... > Artis > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 6 22:09:41 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC16F16A4CE for ; Tue, 6 Jan 2004 22:09:41 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16D9B43D5E for ; Tue, 6 Jan 2004 22:09:32 -0800 (PST) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i0769VAF035161; Tue, 6 Jan 2004 22:09:31 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i0769P0D035160; Tue, 6 Jan 2004 22:09:25 -0800 (PST) (envelope-from rizzo) Date: Tue, 6 Jan 2004 22:09:25 -0800 From: "'Luigi Rizzo'" To: Artis Caune Message-ID: <20040106220925.A35110@xorpc.icir.org> References: <20031106033919.A65661@xorpc.icir.org> <200401061552.i06Fqn1h007092@wyvern.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200401061552.i06Fqn1h007092@wyvern.icir.org>; from ac-lists@latnet.lv on Tue, Jan 06, 2004 at 05:51:29PM +0200 cc: freebsd-ipfw@freebsd.org Subject: Re: loading lot of rules takes very long time X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2004 06:09:42 -0000 good to hear you found a viable solution for you :) cheers luigi On Tue, Jan 06, 2004 at 05:51:29PM +0200, Artis Caune wrote: > Happy new year! > > Back to old topic... > > I found solution to my problem ! > > we really need 10000++ rules. ;) > > I wrote my own traffic shaper: kld module. > It attach to ip filter 'fr_checkp' function pointer. > It use binary tree to match IP packets, and > it always match in 32 steps. > It then use CISCO CAR (token bucket) algorithm to > shape (rate limit) traffic. > It can use CISCO 'compounded debt' algorithm > to simulate RED ;) > It don't use queues, it don't add delays. > It shape very close to configured rate. > Grr, and it works in bridge mode. > > I can load 30000 rules on PII 300 box in 1-2 seconds. > Yeh, that's seconds, not hours ;) > > config file is very simple: > > interface em0 in dst-ip > > pipe test 64KB > > 10.0.0.0/24 pipe test > > 192.168.0.1/32 pipe test > > All works great!!! > > Totaly about 1500 lines of kernel/userland code. > > > > > cheers > Artis > > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] > On Behalf Of Luigi Rizzo > Sent: ceturtdiena, 2003. gada 6. novembri 13:39 > To: Artis Caune > Cc: freebsd-ipfw@freebsd.org > Subject: Re: loading lot of rules takes very long time > > most likely, because you are not using "-n", the printing > code will use the nameserver to try and resolve addresses, and > if halfway through you are limiting/blocking access to the > nameserver you incur in timeouts. > > To tell the truth i suspect you have a quite poorly designed > ruleset if you are adding individual rules and pipes for each > client. Almost surely you should make use of masks in pipes, > and address sets in rules, to reduce the size of your ruleset > to something manageable and efficient. > > cheers > luigi > > > On Thu, Nov 06, 2003 at 01:04:31PM +0200, Artis Caune wrote: > > Hello, > > > > We have about 10000-20000 pipes for > > different subnets, and it takes very long > > time to load them - about 10-15min. > > > > 92.8% interrupt, 0.0% idle > > > > strange that things slow down when count > > reaches 2000-2500 rules. > > > > is there something we can do to speed things up? > > > > rules are added like: > > ipfw -q add 1 pipe 1 src-ip 1.1.1.1 out via em0 > > ipfw pipe 1 config bw 30Kbytes/s queue 10 > > ... > > soo 'ipfw' is invoked '2 x client_count' !!! > > > > maybe ipfw need feature like: > > ipfw -f /etc/rc.firewall > > > > > > > > # FreeBSD-4.9, IPFW2, > > # HZ=2000, DEVICE_POLLING, > > # 1G RAM, 2.4xeon on Intel server board > > > > > > > > > > > > ..... > > Artis > > > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 7 14:02:46 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BA6716A4D0 for ; Wed, 7 Jan 2004 14:02:46 -0800 (PST) Received: from mout0.freenet.de (mout0.freenet.de [194.97.50.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 424EF43D46 for ; Wed, 7 Jan 2004 14:02:43 -0800 (PST) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.144] (helo=mx1.freenet.de) by mout0.freenet.de with asmtp (Exim 4.30) id 1AeLlC-0004xQ-Ao for freebsd-ipfw@freebsd.org; Wed, 07 Jan 2004 23:02:42 +0100 Received: from pd9e76279.dip.t-dialin.net ([217.231.98.121] helo=spotteswoode.dnsalias.org) by mx1.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.30 #1) id 1AeLlB-0005cI-Tf for freebsd-ipfw@freebsd.org; Wed, 07 Jan 2004 23:02:42 +0100 Received: (qmail 1398 invoked by uid 0); 7 Jan 2004 22:03:03 -0000 Date: 7 Jan 2004 23:02:40 +0100 Message-ID: From: "Clemens Fischer" To: "Artis Caune" In-Reply-To: <20040106155246.EF5E743D41@mx1.FreeBSD.org> (Artis Caune's message of "Tue, 6 Jan 2004 17:51:29 +0200") References: <20040106155246.EF5E743D41@mx1.FreeBSD.org> User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org Subject: Re: loading lot of rules takes very long time X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2004 22:02:46 -0000 * Artis Caune: > I wrote my own traffic shaper: kld module. are you going to make this traffic shaper available to the masses? i'd be interested. > On Thu, Nov 06, 2003 at 01:04:31PM +0200, Artis Caune wrote: >> maybe ipfw need feature like: >> ipfw -f /etc/rc.firewall am i really thre only one who read ipfw(8) and uses the feature you found missing? IPFW(8) FreeBSD System Manager's Manual NAME ipfw -- IP firewall and traffic shaper control program SYNOPSIS ... ipfw [-cnNqS] [-p preproc [preproc-flags]] pathname you can even tell ipfw(8) which preprocessor you want to run your rules on, everything builtin for ages... clemens From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 8 06:38:17 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70D5116A4CE for ; Thu, 8 Jan 2004 06:38:17 -0800 (PST) Received: from smart.eusc.inter.net (smart.eusc.inter.net [213.73.101.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id A244C43D41 for ; Thu, 8 Jan 2004 06:38:13 -0800 (PST) (envelope-from msch@snafu.de) Received: from mail.snafu.de ([10.12.0.4] helo=service.snafu.de) by smart.eusc.inter.net with smtp (Exim 3.36 #4) id 1AebIa-0004or-00 for freebsd-ipfw@freebsd.org; Thu, 08 Jan 2004 15:38:12 +0100 To: freebsd-ipfw@freebsd.org From: msch@snafu.de X-Sender: msch@snafu.de Date: Thu, 8 Jan 2004 14:38:12 GMT X-Mailer: Endymion MailMan Standard Edition v3.0.35 Message-Id: Subject: ipfw on a bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2004 14:38:17 -0000 Hi, I'm working on a filtering bridge with ipfw2 on FreeBSD 5.1-RELEASE-p11. I made a test-setup consisting of the bridge itself and a test-client behind that bridge. 'fxp0' is the outer I/F, 'fxp1' the inner. Neither 'fxp0' nor 'fxp1' have an IP-address. 'bge0' is the on-board I/F of the bridge-host *with* an IP-addres. My first test-ruleset for ipfw on the bridge is: root@fw1.xxx.yyy.zzz - ~ 515 # ipfw list 00100 check-state 00200 skipto 3000 ip from any to any layer2 00300 allow tcp from any to me dst-port 22 in recv bge0 setup keep-state 00400 allow ip from me to any xmit bge0 keep-state 03000 allow ip from any to any layer2 not mac-type 0x0800 03100 allow tcp from any to any in recv fxp1 setup keep-state 03200 allow udp from any to any in recv fxp1 keep-state 03300 allow ip from any to any in recv fxp1 03400 deny log ip from any to any 65535 deny ip from any to any Rule 3000 should allow for ARP-requests, but doesn't work as expected. I have several questions on that rule: The original syntax is from the ipfw(8)-manpage and reads as follows: "allow layer2 not mac-type ip" where 'ip' expands to '0x0800' Why does "allow layer2 mac-type 0x0806" *not* work, although '0x0806' is exactly the MAC-Type for ARP? Why can I ping the internal client from outside if "allow layer2 not mac-type ip" is active, although the ICMP ping-request comes to the bridge "in recv fxp0"? If I look at the counters, the 'ping' uses rule #3000, although ICMP *is* mac-type 'ip'. Can someone explain that behaviour? I read 'ipfw(8)' several times as well as the article on 'filtering bridges' on freebsd.org. "TCP/IP Illustrated" from W.R.Stevens is my best friend :-) but I remain irritated. Thank's a lot - Matthias From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 8 10:45:31 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E31716A4CE for ; Thu, 8 Jan 2004 10:45:31 -0800 (PST) Received: from forrie.com (forrie.ne.client2.attbi.com [24.62.205.225]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2AC643D31 for ; Thu, 8 Jan 2004 10:45:27 -0800 (PST) (envelope-from forrie@forrie.com) Received: from laptop.forrie.com (i-95.forrie.net. [192.168.1.95]) by forrie.com with ESMTP id i08Ij6ax071962 for ; Thu, 8 Jan 2004 13:45:07 -0500 (EST) (envelope-from forrie@forrie.com) Message-Id: <6.0.1.1.2.20040108134426.01dd6df0@192.168.1.1> X-Sender: forrie@192.168.1.1 X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Thu, 08 Jan 2004 13:45:01 -0500 To: freebsd-ipfw@freebsd.org From: Forrest Aldrich Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-RAVMilter-Version: 8.3.0(snapshot 20010925) (forrie.ne.client2.attbi.com) X-MailScanner-LocalNet: Found to be clean Subject: XML output? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2004 18:45:31 -0000 Has anyone considered enabling ipfw to output XML? This might be useful for stats gathering/display, etc. _F From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 8 17:23:54 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1A9A16A4CE for ; Thu, 8 Jan 2004 17:23:54 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 269EF43D45 for ; Thu, 8 Jan 2004 17:23:52 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.30; FreeBSD) id 1AelJ7-000PKC-2F; Fri, 09 Jan 2004 09:19:25 +0800 Message-Id: <6.0.1.1.2.20040109092421.02a583d8@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Fri, 09 Jan 2004 09:27:40 +0800 To: msch@snafu.de From: Ganbold In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw on a bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 01:23:54 -0000 Hi, I also have bridge ipfw2 on FreeBSD 5.2-current. And following rule passes arp requests. # pass ARP ${fwcmd} add 3000 allow layer2 mac-type arp Ganbold At 10:38 PM 08.01.2004, you wrote: >Hi, > >I'm working on a filtering bridge with ipfw2 on FreeBSD 5.1-RELEASE-p11. >I made a test-setup consisting of the bridge itself and a test-client >behind that bridge. 'fxp0' is the outer I/F, 'fxp1' the inner. >Neither 'fxp0' nor 'fxp1' have an IP-address. 'bge0' is the on-board I/F of >the bridge-host *with* an IP-addres. > >My first test-ruleset for ipfw on the bridge is: > >root@fw1.xxx.yyy.zzz - ~ >515 # ipfw list >00100 check-state >00200 skipto 3000 ip from any to any layer2 >00300 allow tcp from any to me dst-port 22 in recv bge0 setup keep-state >00400 allow ip from me to any xmit bge0 keep-state >03000 allow ip from any to any layer2 not mac-type 0x0800 >03100 allow tcp from any to any in recv fxp1 setup keep-state >03200 allow udp from any to any in recv fxp1 keep-state >03300 allow ip from any to any in recv fxp1 >03400 deny log ip from any to any >65535 deny ip from any to any > >Rule 3000 should allow for ARP-requests, but doesn't work as expected. >I have several questions on that rule: > >The original syntax is from the ipfw(8)-manpage and reads as follows: > >"allow layer2 not mac-type ip" where 'ip' expands to '0x0800' > >Why does "allow layer2 mac-type 0x0806" *not* work, although '0x0806' >is exactly the MAC-Type for ARP? > >Why can I ping the internal client from outside if >"allow layer2 not mac-type ip" is active, although the ICMP ping-request >comes to the bridge "in recv fxp0"? If I look at the counters, the 'ping' >uses rule #3000, although ICMP *is* mac-type 'ip'. > >Can someone explain that behaviour? I read 'ipfw(8)' several times as well >as the article on 'filtering bridges' on freebsd.org. "TCP/IP Illustrated" >from W.R.Stevens is my best friend :-) but I remain irritated. > >Thank's a lot - Matthias > > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 9 00:24:27 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17D2316A4CE for ; Fri, 9 Jan 2004 00:24:27 -0800 (PST) Received: from smart.eusc.inter.net (smart.eusc.inter.net [213.73.101.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F64743D45 for ; Fri, 9 Jan 2004 00:24:26 -0800 (PST) (envelope-from msch@snafu.de) Received: from mail.snafu.de ([10.12.0.4] helo=service.snafu.de) by smart.eusc.inter.net with smtp (Exim 3.36 #4) id 1AerwP-0005mN-00; Fri, 09 Jan 2004 09:24:25 +0100 To: Ganbold From: msch@snafu.de X-Sender: msch@snafu.de Date: Fri, 9 Jan 2004 08:24:25 GMT X-Mailer: Endymion MailMan Standard Edition v3.0.35 Message-Id: cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw on a bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 08:24:27 -0000 Hi, > I also have bridge ipfw2 on FreeBSD 5.2-current. > And following rule passes arp requests. > > # pass ARP > ${fwcmd} add 3000 allow layer2 mac-type arp This is exactly what doesn't work here :-( Would you tell me your related sysctl-values and kernel options? Mine here are: (/etc/sysctl.conf) net.link.ether.bridge_cfg=fxp0,fxp1 net.link.ether.bridge_ipfw=1 net.link.ether.bridge=1 and: options BRIDGE #bridge-ability options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity Thanks so far - Matthias From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 9 00:47:40 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1B1916A4CE for ; Fri, 9 Jan 2004 00:47:40 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 329EE43D2D for ; Fri, 9 Jan 2004 00:47:37 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.30; FreeBSD) id 1AesEY-000JXL-2m; Fri, 09 Jan 2004 16:43:10 +0800 Message-Id: <6.0.1.1.2.20040109164801.029ba060@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Fri, 09 Jan 2004 16:51:21 +0800 To: msch@snafu.de From: Ganbold In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw on a bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 08:47:40 -0000 Hi, My sysctl.conf: net.link.ether.bridge_cfg=fxp0:0,fxp1:0 net.link.ether.bridge_ipfw=1 net.link.ether.bridge.enable=1 net.inet.ip.fw.one_pass=0 security.bsd.see_other_uids=0 net.link.ether.inet.max_age=1200 kern.ipc.somaxconn=1024 net.inet.tcp.sendspace=32768 net.inet.tcp.recvspace=32768 net.inet.ip.sourceroute=0 net.inet.ip.accept_sourceroute=0 net.inet.icmp.bmcastecho=0 net.inet.icmp.maskrepl=0 net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 net.inet.ip.fw.dyn_buckets=16384 net.inet.ip.fw.dyn_ack_lifetime=300 net.inet.ip.fw.dyn_udp_lifetime=10 net.inet.ip.fw.dyn_syn_lifetime=5 net.inet.ip.fw.dyn_max=32000 net.inet.ip.fw.debug=0 net.inet.ip.dummynet.max_chain_len=256 net.inet.ip.dummynet.hash_size=1024 net.inet.ip.fw.verbose_limit=1 My kernel config: ... options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT options TCPDEBUG options IPSTEALTH options TCP_DROP_SYNFIN options DUMMYNET options HZ=1000 options BRIDGE ... My rc.conf ... log_in_vain=1 icmp_drop_redirect="YES" icmp_log_redirect=YES tcp_drop_synfin="YES" tcp_restrict_rst="YES" Ganbold At 04:24 PM 09.01.2004, you wrote: >Hi, > > > I also have bridge ipfw2 on FreeBSD 5.2-current. > > And following rule passes arp requests. > > > > # pass ARP > > ${fwcmd} add 3000 allow layer2 mac-type arp > >This is exactly what doesn't work here :-( > >Would you tell me your related sysctl-values and kernel options? > >Mine here are: (/etc/sysctl.conf) > >net.link.ether.bridge_cfg=fxp0,fxp1 >net.link.ether.bridge_ipfw=1 >net.link.ether.bridge=1 > >and: > >options BRIDGE #bridge-ability >options IPFIREWALL #firewall >options IPFIREWALL_VERBOSE #enable logging to syslogd(8) >options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity > >Thanks so far - Matthias From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 9 14:40:55 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D9E516A4CE for ; Fri, 9 Jan 2004 14:40:55 -0800 (PST) Received: from smart.eusc.inter.net (smart.eusc.inter.net [213.73.101.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id E233843D5D for ; Fri, 9 Jan 2004 14:40:53 -0800 (PST) (envelope-from msch@snafu.de) Received: from tc01-n71-138.de.inter.net ([213.73.71.138]) by smart.eusc.inter.net with esmtp (Exim 3.36 #4) id 1Af5JE-0001QZ-00; Fri, 09 Jan 2004 23:40:52 +0100 From: Matthias Schuendehuette Organization: Micro$oft-free Zone To: Ganbold Date: Fri, 9 Jan 2004 23:40:50 +0100 User-Agent: KMail/1.5.4 References: <6.0.1.1.2.20040109164801.029ba060@202.179.0.80> In-Reply-To: <6.0.1.1.2.20040109164801.029ba060@202.179.0.80> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200401092340.50928.msch@snafu.de> cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw on a bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: msch@snafu.de List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2004 22:40:55 -0000 Hi, On Friday 09 January 2004 09:51, Ganbold wrote: > > My sysctl.conf: > [...] > My kernel config: > [...] > My rc.conf > [...] Thanks a lot! I found the real source of my problems: I forgot (for myself and to mention) the VLANs - sorry for that! Are you handling/bridging VLANs with your filtering bridge? Anyway, that's another story or at least a new thread... :-) Again, thank you so far - Matthias -- Ciao/BSD - Matthias Matthias Schuendehuette , Berlin (Germany) PGP-Key at and ID: 0xDDFB0A5F From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 10 04:20:03 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3BA816A4D0 for ; Sat, 10 Jan 2004 04:20:03 -0800 (PST) Received: from mail.lphp.org (APastourelles-107-1-16-225.w80-14.abo.wanadoo.fr [80.14.185.225]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D3E643D1D for ; Sat, 10 Jan 2004 04:20:01 -0800 (PST) (envelope-from ajacoutot@lphp.org) Received: from sta01 (sta01.lphp.local [192.168.0.3]) by mail.lphp.org (8.12.10/8.12.10) with ESMTP id i0ACJWR1065007 for ; Sat, 10 Jan 2004 13:19:32 +0100 (CET) (envelope-from ajacoutot@lphp.org) From: Antoine Jacoutot To: freebsd-ipfw@freebsd.org Date: Sat, 10 Jan 2004 13:18:02 +0100 User-Agent: KMail/1.5.4 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200401101318.02073.ajacoutot@lphp.org> Subject: routing and fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jan 2004 12:20:03 -0000 Hi :) I have a simple problem and I was told this was possible to use ipfw to resolve this. I have a FreeBSD gateway which has 2 internet connexions: - con1 with a fixed public @ip range - con2 with a dynamic @ip connection with a DSL modem I would like to route all paquets coming from the DMZ (fixed public @ip range) and going to the Internet using con1 and route all paquets coming from LAN and going to the Internet using con2+NAT. I would also like to route paquets normally between LAN and DMZ. The default route on the gateway would be con2 (the dynamic @ip DSL connexion). Is it possible to build such a setup with ipfw ? I was thinking about something like: add divert 8668 ip from $LAN to !$DMZ via $con2 add fwd ip from $DMZ to !$LAN via $con1 But I was concerned about the fact that since my default route (on the gateway) would be con2, how would the paquets coming from the DMS be routed using con1 ? I hope this is understandable... ---------------- INTERNET ---------------- | | | | ---------------- con1 con2 FREEBSD_GATEWAY em1 em0 ---------------- | | | | DMZ LAN Thanks for any inputs.... Note that I do no need failover, load balance, bonding... I just want to convert 2 gateways (one for each NET connection) into 1. Regards, Antoine