From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 9 02:34:56 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B38E916A4CE for ; Tue, 9 Dec 2003 02:34:56 -0800 (PST) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D5FC43D21 for ; Tue, 9 Dec 2003 02:34:53 -0800 (PST) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 7F2B91FF905; Tue, 9 Dec 2003 11:34:51 +0100 (CET) Received: by transport.cksoft.de (Postfix, from userid 66) id C98CF1FF903; Tue, 9 Dec 2003 11:34:49 +0100 (CET) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id CCB1B1538F; Tue, 9 Dec 2003 10:34:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id C27811538C; Tue, 9 Dec 2003 10:34:37 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: Gregory Edigarov In-Reply-To: <20031209102312.GB529@profi.kharkov.ua> Message-ID: References: <20031209102312.GB529@profi.kharkov.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw keep-state (ASAP anwser need) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Tue, 09 Dec 2003 10:34:56 -0000 X-Original-Date: Tue, 9 Dec 2003 10:34:37 +0000 (UTC) X-List-Received-Date: Tue, 09 Dec 2003 10:34:56 -0000 On Tue, 9 Dec 2003, Gregory Edigarov wrote: > The folowing is a fragment of my rc.firewall which must > allow all > traffic in and out of my named. > > ---- > ipfw add 4100 allow udp from me to any 53 keep-state > ipfw add 4200 allow udp from any to me 53 > ipfw add 4300 allow udp from me 53 to any > --- > It doesn't work. What am I missing? man ipfw /check-state ? -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 26 18:24:46 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8306116A4DA for ; Mon, 26 Jan 2004 18:24:46 -0800 (PST) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id E751E43D8B for ; Mon, 26 Jan 2004 18:23:22 -0800 (PST) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 1B3545C7C9; Mon, 26 Jan 2004 18:23:07 -0800 (PST) Date: Mon, 26 Jan 2004 18:23:07 -0800 From: Bill Fumerola To: freebsd-ipfw@freebsd.org Message-ID: <20040127022307.GP40147@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-Operating-System: FreeBSD 4.9-MUORG-20031210 i386 Subject: 'prevmatch' patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: billf@FreeBSD.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 02:24:46 -0000 i ran into a situation recently where i could write my ruleset a lot simpler (and remove some costly, redundant lookups) by requiring that the previous rule evaluated matched. note: this does NOT mean "the previous rule in order" it means "the previous rule traversed". the former isn't all that useful, but the latter is nice because it works with both count and skipto rules. i'm also working on a more complex tagging language, but in the mean time someone may find this useful. if there is interest, i'll clean it up, write up some appropriate mdoc patches as well and commit this. if not, this will live in the archives for people to apply locally. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org ----- Forwarded message from bill fumerola ----- ==== //depot/yahoo/ybsd_4/src/sbin/ipfw/ipfw2.c#11 (text+ko) - //depot/fumerola/fbsd-net/ipfw/ipfw2.c#3 (text+ko) ==== content @@ -225,6 +225,7 @@ TOK_MACTYPE, TOK_VERREVPATH, TOK_IPSEC, + TOK_PREVMATCH, TOK_COMMENT, TOK_PLR, @@ -337,6 +338,7 @@ { "mac-type", TOK_MACTYPE }, { "verrevpath", TOK_VERREVPATH }, { "ipsec", TOK_IPSEC }, + { "prevmatch", TOK_PREVMATCH }, { "//", TOK_COMMENT }, { "not", TOK_NOT }, /* pseudo option */ @@ -1262,6 +1264,10 @@ printf(" ipsec"); break; + case O_PREVMATCH: + printf(" prevmatch"); + break; + case O_NOP: comment = (char *)(cmd + 1); break; @@ -3400,6 +3406,10 @@ fill_cmd(cmd, O_IPSEC, 0, 0); break; + case TOK_PREVMATCH: + fill_cmd(cmd, O_PREVMATCH, 0, 0); + break; + case TOK_COMMENT: fill_comment(cmd, ac, av); av += ac; ==== //depot/yahoo/ybsd_4/src/sys/netinet/ip_fw2.c#11 (text+ko) - //depot/fumerola/fbsd-net/sys/netinet/ip_fw2.c#4 (text+ko) ==== content @@ -1352,6 +1352,7 @@ int pktlen; int dyn_dir = MATCH_UNKNOWN; ipfw_dyn_rule *q = NULL; + int prevmatch = 0; if (m->m_flags & M_SKIP_FIREWALL) return 0; /* accept */ @@ -1524,6 +1525,10 @@ match = 1; break; + case O_PREVMATCH: + match = prevmatch; + break; + case O_FORWARD_MAC: printf("ipfw: opcode %d unimplemented\n", cmd->opcode); @@ -1948,6 +1953,7 @@ case O_COUNT: case O_SKIPTO: + prevmatch = 1; f->pcnt++; /* update stats */ f->bcnt += pktlen; f->timestamp = time_second; @@ -2004,6 +2010,7 @@ } } /* end of inner for, scan opcodes */ + prevmatch = 0; next_rule:; /* try next rule */ @@ -2414,6 +2421,7 @@ case O_ESTAB: case O_VERREVPATH: case O_IPSEC: + case O_PREVMATCH: if (cmdlen != F_INSN_SIZE(ipfw_insn)) goto bad_size; break; ==== //depot/yahoo/ybsd_4/src/sys/netinet/ip_fw2.h#3 (text+ko) - //depot/fumerola/fbsd-net/sys/netinet/ip_fw2.h#3 (text+ko) ==== content @@ -96,6 +96,8 @@ O_VERREVPATH, /* none */ + O_PREVMATCH, /* none (previous rule matched) */ + O_PROBE_STATE, /* none */ O_KEEP_STATE, /* none */ O_LIMIT, /* ipfw_insn_limit */ ----- End forwarded message ----- From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 27 01:02:26 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF72916A4CE; Tue, 27 Jan 2004 01:02:26 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9FEF043D39; Tue, 27 Jan 2004 01:02:24 -0800 (PST) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i0R92OAF011280; Tue, 27 Jan 2004 01:02:24 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i0R92O2e011279; Tue, 27 Jan 2004 01:02:24 -0800 (PST) (envelope-from rizzo) Date: Tue, 27 Jan 2004 01:02:24 -0800 From: Luigi Rizzo To: Bill Fumerola Message-ID: <20040127010224.B11002@xorpc.icir.org> References: <20040127022307.GP40147@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20040127022307.GP40147@elvis.mu.org>; from billf@freebsd.org on Mon, Jan 26, 2004 at 06:23:07PM -0800 cc: freebsd-ipfw@freebsd.org Subject: Re: 'prevmatch' patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 09:02:27 -0000 On Mon, Jan 26, 2004 at 06:23:07PM -0800, Bill Fumerola wrote: > i ran into a situation recently where i could write my ruleset a lot > simpler (and remove some costly, redundant lookups) by requiring that > the previous rule evaluated matched. > > note: this does NOT mean "the previous rule in order" it means "the > previous rule traversed". the former isn't all that useful, but the > latter is nice because it works with both count and skipto rules. i cannot make much sense of this. Can you make an actual example ? It seems to me that the only thing 'prevmatch' tells you is whether or not you got to a rule as a result of a 'count' or 'skipto' action, which is a special case of a more general (and equally simple to implement) mechanism that i am planning to add (and i believe i posted this already some time ago): + add to all non-terminal actions (count, skipto, tee) two bitmasks that specify sets of flags to set and clear, respectively; + add a new opcode that matches arbitrary bit patterns; + flags will be preserved in dummynet so they will be accessible when the packet comes out of a pipe. So you will be able to write 100 count set 0x10 src-ip 1.2.3.4,5.6.7.8,9.10.11.12 // good guys 100 count set 0x20 dst-port 80 110 count set 0x40 src-ip 10.0.0.0/8,192.168.0.0/16 // bad guys ... 500 pipe 1 flags & 0x60 == 0x20 500 deny flags & 0x40 != 0 and so on. I am still a bit uncertain on the syntax for the 'flags' opcode -- this is basically the only think stopping me from implementing the thing. If you want to give it a shot... cheers luigi > not, this will live in the archives for people to apply locally. > > -- > - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org > > > ----- Forwarded message from bill fumerola ----- > > ==== //depot/yahoo/ybsd_4/src/sbin/ipfw/ipfw2.c#11 (text+ko) - //depot/fumerola/fbsd-net/ipfw/ipfw2.c#3 (text+ko) ==== content > @@ -225,6 +225,7 @@ > TOK_MACTYPE, > TOK_VERREVPATH, > TOK_IPSEC, > + TOK_PREVMATCH, > TOK_COMMENT, > > TOK_PLR, > @@ -337,6 +338,7 @@ > { "mac-type", TOK_MACTYPE }, > { "verrevpath", TOK_VERREVPATH }, > { "ipsec", TOK_IPSEC }, > + { "prevmatch", TOK_PREVMATCH }, > { "//", TOK_COMMENT }, > > { "not", TOK_NOT }, /* pseudo option */ > @@ -1262,6 +1264,10 @@ > printf(" ipsec"); > break; > > + case O_PREVMATCH: > + printf(" prevmatch"); > + break; > + > case O_NOP: > comment = (char *)(cmd + 1); > break; > @@ -3400,6 +3406,10 @@ > fill_cmd(cmd, O_IPSEC, 0, 0); > break; > > + case TOK_PREVMATCH: > + fill_cmd(cmd, O_PREVMATCH, 0, 0); > + break; > + > case TOK_COMMENT: > fill_comment(cmd, ac, av); > av += ac; > ==== //depot/yahoo/ybsd_4/src/sys/netinet/ip_fw2.c#11 (text+ko) - //depot/fumerola/fbsd-net/sys/netinet/ip_fw2.c#4 (text+ko) ==== content > @@ -1352,6 +1352,7 @@ > int pktlen; > int dyn_dir = MATCH_UNKNOWN; > ipfw_dyn_rule *q = NULL; > + int prevmatch = 0; > > if (m->m_flags & M_SKIP_FIREWALL) > return 0; /* accept */ > @@ -1524,6 +1525,10 @@ > match = 1; > break; > > + case O_PREVMATCH: > + match = prevmatch; > + break; > + > case O_FORWARD_MAC: > printf("ipfw: opcode %d unimplemented\n", > cmd->opcode); > @@ -1948,6 +1953,7 @@ > > case O_COUNT: > case O_SKIPTO: > + prevmatch = 1; > f->pcnt++; /* update stats */ > f->bcnt += pktlen; > f->timestamp = time_second; > @@ -2004,6 +2010,7 @@ > } > > } /* end of inner for, scan opcodes */ > + prevmatch = 0; > > next_rule:; /* try next rule */ > > @@ -2414,6 +2421,7 @@ > case O_ESTAB: > case O_VERREVPATH: > case O_IPSEC: > + case O_PREVMATCH: > if (cmdlen != F_INSN_SIZE(ipfw_insn)) > goto bad_size; > break; > ==== //depot/yahoo/ybsd_4/src/sys/netinet/ip_fw2.h#3 (text+ko) - //depot/fumerola/fbsd-net/sys/netinet/ip_fw2.h#3 (text+ko) ==== content > @@ -96,6 +96,8 @@ > > O_VERREVPATH, /* none */ > > + O_PREVMATCH, /* none (previous rule matched) */ > + > O_PROBE_STATE, /* none */ > O_KEEP_STATE, /* none */ > O_LIMIT, /* ipfw_insn_limit */ > > > ----- End forwarded message ----- > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 27 02:06:59 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E03FA16A4CE for ; Tue, 27 Jan 2004 02:06:59 -0800 (PST) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DC8843D77 for ; Tue, 27 Jan 2004 02:06:18 -0800 (PST) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 1439B5C789; Tue, 27 Jan 2004 02:05:33 -0800 (PST) Date: Tue, 27 Jan 2004 02:05:33 -0800 From: Bill Fumerola To: Luigi Rizzo Message-ID: <20040127100533.GS40147@elvis.mu.org> References: <20040127022307.GP40147@elvis.mu.org> <20040127010224.B11002@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040127010224.B11002@xorpc.icir.org> User-Agent: Mutt/1.4.1i X-Operating-System: FreeBSD 4.9-MUORG-20031210 i386 cc: freebsd-ipfw@freebsd.org Subject: Re: 'prevmatch' patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 10:07:00 -0000 On Tue, Jan 27, 2004 at 01:02:24AM -0800, Luigi Rizzo wrote: > i cannot make much sense of this. Can you make an actual example ? it allows for fallthrough/!fallthrough behavior. i had multiple skiptos (address based) pointing at a rule (port based) living in a larger block and i didn't want to retest those address conditions. it's more for the mail archives in case someone finds it useful and not really commitworthy. > It seems to me that the only thing 'prevmatch' tells you is > whether or not you got to a rule as a result of a 'count' or 'skipto' > action, which is a special case of a more general (and equally > simple to implement) mechanism that i am planning to add (and i > believe i posted this already some time ago): > > + add to all non-terminal actions (count, skipto, tee) two bitmasks > that specify sets of flags to set and clear, respectively; > + add a new opcode that matches arbitrary bit patterns; > + flags will be preserved in dummynet so they will be accessible > when the packet comes out of a pipe. > > So you will be able to write > > 100 count set 0x10 src-ip 1.2.3.4,5.6.7.8,9.10.11.12 // good guys > 100 count set 0x20 dst-port 80 > 110 count set 0x40 src-ip 10.0.0.0/8,192.168.0.0/16 // bad guys > ... > 500 pipe 1 flags & 0x60 == 0x20 > 500 deny flags & 0x40 != 0 > > and so on. I am still a bit uncertain on the syntax for the 'flags' > opcode -- this is basically the only think stopping me from implementing > the thing. If you want to give it a shot... yeah, someone on a mailing list mentioned this work and i started working something similar for my own amusement. i added more primatives (most of the C equality and assignment operators) but stopped at the userland part. supporting one operator and value is easy, doing multiple operators makes things a bit trickier. the syntax for multiple operators in the 'check' section seems easier to make unambigious than multiple operators in the 'set' section. creating/coding the grammar is harder than the kernel support.. it'd probably be best to commit something like the above and then expand on the language if needed. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 28 02:02:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 707DA16A4CE for ; Wed, 28 Jan 2004 02:02:20 -0800 (PST) Received: from server.web4ever.com.br (server.web4ever.com.br [200.203.183.57]) by mx1.FreeBSD.org (Postfix) with SMTP id B33FC43D31 for ; Wed, 28 Jan 2004 02:02:18 -0800 (PST) (envelope-from linke@calnet.com.br) Received: (qmail 70810 invoked from network); 28 Jan 2004 08:02:16 -0200 Received: from 200-138-104-088.ctame7044.dsl.brasiltelecom.net.br (HELO work.gamk.com.br) (gamk@gamk.com.br@200.138.104.88) by 0 with SMTP; 28 Jan 2004 08:02:16 -0200 Date: Wed, 28 Jan 2004 08:02:28 -0200 From: Diego Linke - GAMK To: freebsd-ipfw@freebsd.org Message-Id: <20040128080228.20b06919.linke@calnet.com.br> X-Mailer: GAMK Mail Client Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: limit question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2004 10:02:20 -0000 Hi, I need limit to max 150 conections but just only 3 of same src host. I thought about using something as: ipfw add allow tcp from any to me 110 in via fxp0 setup limit src-addr 3 dst-port 150 But it's not valid. i make: ipfw add allow tcp from any to me 110 in via fxp0 setup limit src-addr dst-port 150 this is validates and work, however not as I need. Somebody have an idea for i implement this ? Thanks :D -- [ Diego Linke - GAMK ] System/Network/Security Administrator E-Mail/Site: gamk@gamk.com.br - http://www.gamk.com.br Public Key: http://www.gamk.com.br/gamk.asc Phone Number: (+5541) 8804-4303 ** BSD "Where uptime is measured in years" ** From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 28 10:41:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A869716A4CE; Wed, 28 Jan 2004 10:41:20 -0800 (PST) Received: from netlx014.civ.utwente.nl (netlx014.civ.utwente.nl [130.89.1.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id B254543D1D; Wed, 28 Jan 2004 10:41:18 -0800 (PST) (envelope-from r.s.a.vandomburg@student.utwente.nl) Received: from gog (gog.student.utwente.nl [130.89.165.107]) by netlx014.civ.utwente.nl (8.11.7/HKD) with ESMTP id i0SIfGL17621; Wed, 28 Jan 2004 19:41:16 +0100 Message-Id: <200401281841.i0SIfGL17621@netlx014.civ.utwente.nl> From: "Roderick van Domburg" To: , Date: Wed, 28 Jan 2004 19:44:57 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 Thread-Index: AcPlztPLp36mB5tqS4qWAYvChoePmg== X-UTwente-MailScanner-Information: Scanned by MailScanner. Contact helpdesk@ITBE.utwente.nl for more information. X-UTwente-MailScanner: Found to be clean Subject: ip6fw breakage (on at least sparc64) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2004 18:41:20 -0000 Hello everyone, I filed kern/61544 describing a broken IPv6 firewall on sparc64. Basically, "allow ipv6 from any to any" does the job but any other rule (even "allow tcp from any to any") simply rejects all traffic, no matter the specifics. Anyone else experienced this? The breakage occurred somewhere after January 18th, everything worked just peachy then. Regards, Roderick From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 29 04:21:11 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D07C16A4CE for ; Thu, 29 Jan 2004 04:21:11 -0800 (PST) Received: from ptb-relay02.plus.net (ptb-relay02.plus.net [212.159.14.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7957443D46 for ; Thu, 29 Jan 2004 04:21:09 -0800 (PST) (envelope-from simong@desktop-guardian.com) Received: from [81.174.227.190] (helo=desktop-guardian.com) by ptb-relay02.plus.net with smtp (Exim) id 1AmBAS-0007EF-5G for freebsd-ipfw@freebsd.org; Thu, 29 Jan 2004 12:21:08 +0000 Received: (qmail 42284 invoked by uid 1010); 29 Jan 2004 12:21:01 -0000 Received: from simong@desktop-guardian.com by dtg32.identrica.net by uid 1002 with qmail-scanner-1.20 (clamuko: 0.65. spamassassin: 2.61. Clear:RC:1(81.174.227.186):. Processed in 0.077847 secs); 29 Jan 2004 12:21:01 -0000 Received: from 81?174?227?186.plus.com (HELO dtg17) (81.174.227.186) by desktop-guardian.com with SMTP; 29 Jan 2004 12:21:00 -0000 From: "Simon Gray" To: "'Bjoern A. Zeeb'" , "'Gregory Edigarov'" Date: Thu, 29 Jan 2004 12:20:45 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-index: AcPkeXYYlw3j3k1JSIutiA20EGfXWAB6Ky6Q X-Qmail-Scanner-Message-ID: <107537886165242276@dtg32.identrica.net> Message-Id: cc: freebsd-ipfw@freebsd.org Subject: RE: ipfw keep-state (ASAP anwser need) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jan 2004 12:21:11 -0000 > The folowing is a fragment of my rc.firewall which must > allow all > traffic in and out of my named. > > ---- > ipfw add 4100 allow udp from me to any 53 keep-state > ipfw add 4200 allow udp from any to me 53 > ipfw add 4300 allow udp from me 53 to any > --- > It doesn't work. What am I missing? AFAIK dns also requires tcp 53 Quick look in google found: # Allow access to our DNS ${fwcmd} add pass tcp from any to ${ip} 53 setup ${fwcmd} add pass udp from any to ${ip} 53 ${fwcmd} add pass udp from ${ip} 53 to any HTH Simon From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 29 14:48:37 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 202EA16A4CE for ; Thu, 29 Jan 2004 14:48:37 -0800 (PST) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DC9143D2D for ; Thu, 29 Jan 2004 14:48:36 -0800 (PST) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id DC0B55F103; Thu, 29 Jan 2004 23:49:47 +0100 (CET) Date: Thu, 29 Jan 2004 23:49:47 +0100 From: Pawel Malachowski To: freebsd-ipfw@freebsd.org Message-ID: <20040129224947.GA24612@shellma.zin.lublin.pl> References: <20040127022307.GP40147@elvis.mu.org> <20040127010224.B11002@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20040127010224.B11002@xorpc.icir.org> User-Agent: Mutt/1.4.1i Subject: Re: 'prevmatch' patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jan 2004 22:48:37 -0000 On Tue, Jan 27, 2004 at 01:02:24AM -0800, Luigi Rizzo wrote: > + add a new opcode that matches arbitrary bit patterns; Only in packet headers or in packets data? (Blocking x-kazaa without the need of using Snort etc.;)) -- Paweł Małachowski From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 30 00:27:00 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02EBF16A4CE for ; Fri, 30 Jan 2004 00:27:00 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED99143D1D for ; Fri, 30 Jan 2004 00:26:58 -0800 (PST) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i0U8QpAF090921; Fri, 30 Jan 2004 00:26:51 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i0U8Qp47090920; Fri, 30 Jan 2004 00:26:51 -0800 (PST) (envelope-from rizzo) Date: Fri, 30 Jan 2004 00:26:51 -0800 From: Luigi Rizzo To: Pawel Malachowski Message-ID: <20040130002651.A90690@xorpc.icir.org> References: <20040127022307.GP40147@elvis.mu.org> <20040127010224.B11002@xorpc.icir.org> <20040129224947.GA24612@shellma.zin.lublin.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20040129224947.GA24612@shellma.zin.lublin.pl>; 11:49:47PM +0100 cc: freebsd-ipfw@freebsd.org Subject: Re: 'prevmatch' patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jan 2004 08:27:00 -0000 On Thu, Jan 29, 2004 at 11:49:47PM +0100, Pawel Malachowski wrote: > On Tue, Jan 27, 2004 at 01:02:24AM -0800, Luigi Rizzo wrote: > > > + add a new opcode that matches arbitrary bit patterns; > > Only in packet headers or in packets data? (Blocking x-kazaa > without the need of using Snort etc.;)) in the flags. It is completely trivial to implement a generic 'match' opcode to look for specific payloads, but 1) it would be very expensive to run on the packets, and 2) i do not see much of a point, viruses will soon become somthing like useful instruction jmp 1f random junk 1: useful instruction useful instruction jmp 2f random junk 2: useful instruction ... thus defeating any virus scanner based on signatures. cheers luigi > > -- > Pawel Malachowski > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 30 08:47:24 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05DB416A4CE for ; Fri, 30 Jan 2004 08:47:24 -0800 (PST) Received: from mail2.dbitech.ca (radius.wavefire.com [64.141.13.252]) by mx1.FreeBSD.org (Postfix) with SMTP id 5AC9643D78 for ; Fri, 30 Jan 2004 08:46:54 -0800 (PST) (envelope-from darcy@wavefire.com) Received: (qmail 14651 invoked from network); 30 Jan 2004 17:28:39 -0000 Received: from dbitech.wavefire.com (HELO 64.141.15.253) (darcy@64.141.15.253) by radius.wavefire.com with SMTP; 30 Jan 2004 17:28:39 -0000 From: Darcy Buskermolen Organization: Wavefire Technologies Corp. To: Pawel Malachowski , freebsd-ipfw@freebsd.org Date: Fri, 30 Jan 2004 08:44:12 -0800 User-Agent: KMail/1.5.4 References: <20040127022307.GP40147@elvis.mu.org> <20040127010224.B11002@xorpc.icir.org> <20040129224947.GA24612@shellma.zin.lublin.pl> In-Reply-To: <20040129224947.GA24612@shellma.zin.lublin.pl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200401300844.12234.darcy@wavefire.com> Subject: Re: 'prevmatch' patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jan 2004 16:47:24 -0000 On January 29, 2004 02:49 pm, Pawel Malachowski wrote: > On Tue, Jan 27, 2004 at 01:02:24AM -0800, Luigi Rizzo wrote: > > + add a new opcode that matches arbitrary bit patterns; > > Only in packet headers or in packets data? (Blocking x-kazaa > without the need of using Snort etc.;)) If you are looking for a content filtering firewall then I suguest you use something like hogwash. -- Darcy Buskermolen Wavefire Technologies Corp. ph: 250.717.0200 fx: 250.763.1759 http://www.wavefire.com From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 31 05:33:53 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 60E8316A4D1 for ; Sat, 31 Jan 2004 05:33:53 -0800 (PST) Received: from tromso-dhcp-235-56.bluecom.no (tromso-dhcp-235-56.bluecom.no [62.101.235.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A2CD43D62 for ; Sat, 31 Jan 2004 05:33:39 -0800 (PST) (envelope-from lists@jonepet.net) Received: from localhost (localhost.jonepet.net [127.0.0.1]) by tromso-dhcp-235-56.bluecom.no (Postfix) with ESMTP id E92D51E2; Sat, 31 Jan 2004 14:35:18 +0100 (CET) Received: from tromso-dhcp-235-56.bluecom.no ([127.0.0.1]) by localhost (discovery.jonepet.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 69175-09; Sat, 31 Jan 2004 14:35:18 +0100 (CET) Received: from jonepet.net (atlantis.wlan.jonepet.net [10.2.33.4]) by tromso-dhcp-235-56.bluecom.no (Postfix) with ESMTP id AD7741E1; Sat, 31 Jan 2004 14:35:18 +0100 (CET) Message-ID: <401BAEAB.1060705@jonepet.net> Date: Sat, 31 Jan 2004 14:33:31 +0100 From: Jon-Eirik Pettersen User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Simon Gray , freebsd-ipfw@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at jonepet.net Subject: Re: ipfw keep-state (ASAP anwser need) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jan 2004 13:33:53 -0000 Simon Gray wrote: >>The folowing is a fragment of my rc.firewall which must >>allow all >>traffic in and out of my named. >> >>---- >>ipfw add 4100 allow udp from me to any 53 keep-state >>ipfw add 4200 allow udp from any to me 53 >>ipfw add 4300 allow udp from me 53 to any >>--- >>It doesn't work. What am I missing? >> >> > > >AFAIK dns also requires tcp 53 > > >Quick look in google found: > ># Allow access to our DNS >${fwcmd} add pass tcp from any to ${ip} 53 setup >${fwcmd} add pass udp from any to ${ip} 53 >${fwcmd} add pass udp from ${ip} 53 to any > > >HTH > >Simon > > > If you want to debug firewalls this in your kernel configuration could help ( if you haven't done it yet): options IPFIREWALL options IPFIREWALL_VERBOSE ( remember that it will deny as default, check the handbook if you dont want it to ) and use deny log instead of "deny", then ipfw will deliver deny-messages to "security" in syslogd. And "tcpdump -i device" too ( with som grepping if you have much traffic in/out). From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 31 17:38:51 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA66C16A4D0; Sat, 31 Jan 2004 17:38:51 -0800 (PST) Received: from tromso-dhcp-235-56.bluecom.no (tromso-dhcp-235-56.bluecom.no [62.101.235.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66DF343D46; Sat, 31 Jan 2004 17:38:50 -0800 (PST) (envelope-from lists@jonepet.net) Received: from localhost (localhost.jonepet.net [127.0.0.1]) by tromso-dhcp-235-56.bluecom.no (Postfix) with ESMTP id 6FD686D1; Sun, 1 Feb 2004 02:40:43 +0100 (CET) Received: from tromso-dhcp-235-56.bluecom.no ([127.0.0.1]) by localhost (discovery.jonepet.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05498-04; Sun, 1 Feb 2004 02:40:43 +0100 (CET) Received: from jonepet.net (atlantis.wlan.jonepet.net [10.2.33.4]) by tromso-dhcp-235-56.bluecom.no (Postfix) with ESMTP id 323216D0; Sun, 1 Feb 2004 02:40:43 +0100 (CET) Message-ID: <401C58AF.3000600@jonepet.net> Date: Sun, 01 Feb 2004 02:38:55 +0100 From: Jon-Eirik Pettersen User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at jonepet.net cc: freebsd-ipfw@freebsd.org Subject: Merge a NAT-router and a Non-NAT-server X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Feb 2004 01:38:51 -0000 Hi. I'm trying to merge two "servers", one of them is only a NAT-router for the rest of the LAN another one is a host without NAT that needs a unique IP. I have 3 network interfaces on the other. I want that to take over the NAT-routing, but I need to use one network device to that server, and one other to the NAT-routing. All connections from this host should go thru ed0 without NAT. Server: NIC0 (vr0): NAT-network - rest of the network (NET0) - Switch 0 NIC1 (ed0): Default outgoing interface - Internet (NET1) - Switch 1 NIC2 (xl0): LAN (NAT'ed thru vr0) - Internet (NET1) - Switch 1 xl0 and vr0 is on the same switch to the same network, but with different IP's. Is this possible? And another network question: Is it possible to make a virtual network interface bridged to another one? From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 2 10:07:50 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE34416A4CF; Mon, 2 Feb 2004 10:07:50 -0800 (PST) Received: from valiant.cnchost.com (valiant.concentric.net [207.155.252.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 167F943D31; Mon, 2 Feb 2004 10:07:47 -0800 (PST) (envelope-from sahafeez@edgefocus.com) Received: from edgefocus.com (ws130.advancel.com [207.88.142.131] (may be forged)) by valiant.cnchost.com id NAA13556; Mon, 2 Feb 2004 13:07:45 -0500 (EST) [ConcentricHost SMTP Relay 1.16] Errors-To: Message-ID: <401E91C6.8040800@edgefocus.com> Date: Mon, 02 Feb 2004 10:07:02 -0800 From: Sean Hafeez User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org, freebsd-ipfw@freebsd.org, Karan Gupta , "Eric (E-mail)" Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Strange GRE packet flows... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Feb 2004 18:07:51 -0000 I have a 4.9 box (router1) running IPFW: /sbin/natd -interface rl0 -s ipfw add 999 divert natd all from any to any via rl0 ipfw add pipe 1 ip from any to any in recv vr0 ipfw add pipe 2 ip from any to any out xmit vr0 ipfw pipe 1 config mask src-ip 0xffffffff bw 512kbits/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 512kbits/s And on this box I have some GRE tunnels: ifconfig gre8 create ifconfig gre8 tunnel x.x.x.x y.y.y.y ifconfig gre8 inet 172.20.1.13 172.20.1.14 netmask 255.255.255.252 ifconfig gre8 up route add -net 10.0.100.0 -netmask 255.255.255.0 172.20.1.14 The tunnels terminate on a Cisco 1720 or a box running FreeBSD 4.8 or 4.9. (Same config as above reversed). The Cisco or the BSD box are running NAT on their side. If I ping a box behind the remote side from my desktop which is behind the router1 box I drop 3 out of 5 packets. Now for the strange part - If I get a ping going to that same node from the router1 box and then ping from my desktop I drop no packets. If I kill the ping on the router1 box the pings from the desktop start dropping packets. This also works if I ping the external interface on the remote router. BTW, I have just changed the router1 box from Gentoo Linux using the IPROTUE package for the tunnels to FreeBSD 4.9. It worked just fine with the router1 running Linux. I would hate to have to change back as I hate Linux and think IPTABLES was written as a replacement for pulling finger nails out with pliers. Thoughts? Thanks! From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 2 11:02:27 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D25316A4D3 for ; Mon, 2 Feb 2004 11:02:27 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3E8343D62 for ; Mon, 2 Feb 2004 11:02:13 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.10/8.12.10) with ESMTP id i12J1pFR020836 for ; Mon, 2 Feb 2004 11:01:52 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i12J1psG020830 for ipfw@freebsd.org; Mon, 2 Feb 2004 11:01:51 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 2 Feb 2004 11:01:51 -0800 (PST) Message-Id: <200402021901.i12J1psG020830@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Feb 2004 19:02:27 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/29] kern/60719 ipfw ipfw: Headerless fragments generate cryp 10 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 3 03:09:00 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5ABB916A4CE for ; Tue, 3 Feb 2004 03:09:00 -0800 (PST) Received: from amsfep14-int.chello.nl (amsfep14-int.chello.nl [213.46.243.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3453343D45 for ; Tue, 3 Feb 2004 03:08:56 -0800 (PST) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([62.163.150.222]) by amsfep14-int.chello.nl (InterMail vM.6.00.05.02 201-2115-109-103-20031105) with ESMTP id <20040203110850.IKMX18174.amsfep14-int.chello.nl@sitetronics.com> for ; Tue, 3 Feb 2004 12:08:50 +0100 Message-ID: <401F80EB.6030707@sitetronics.com> Date: Tue, 03 Feb 2004 12:07:23 +0100 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Line limitations with dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2004 11:09:00 -0000 First of all -- my understanding of dummynet is that it works on a per-connection basis. For instance, if I limit a host to 30KB/s in an attempt to get the host to not exceed 300KB/s total transfer, and 11 people start transferring, my plain is foiled. With ALTq it's possible to limit bandwidth on a per-line basis -- is this possible with dummynet as well? (For instance, setting up a limitation by which a host could not transfer over 100KB/s; if 100 people connected with the capability to do so, they'd all receive 1KB/s). The manpage is rather thin with information on this subject. Kind regards, Devon H. O'Dell From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 3 03:12:53 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB05416A4CE for ; Tue, 3 Feb 2004 03:12:53 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA49543D46 for ; Tue, 3 Feb 2004 03:12:52 -0800 (PST) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i13BCqAF060281; Tue, 3 Feb 2004 03:12:52 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i13BCqXM060280; Tue, 3 Feb 2004 03:12:52 -0800 (PST) (envelope-from rizzo) Date: Tue, 3 Feb 2004 03:12:52 -0800 From: Luigi Rizzo To: "Devon H. O'Dell" Message-ID: <20040203031252.A60217@xorpc.icir.org> References: <401F80EB.6030707@sitetronics.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <401F80EB.6030707@sitetronics.com>; from dodell@sitetronics.com on Tue, Feb 03, 2004 at 12:07:23PM +0100 cc: freebsd-ipfw@freebsd.org Subject: Re: Line limitations with dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2004 11:12:54 -0000 On Tue, Feb 03, 2004 at 12:07:23PM +0100, Devon H. O'Dell wrote: > First of all -- my understanding of dummynet is that it works on a > per-connection basis. For instance, if I limit a host to 30KB/s in an attempt no, this is incorrect. By using 'mask's on a pipe, you can set the granularity of operation as you like -- per connection, per host, per group of services, etc. etc. See the ipfw manpage. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 3 03:18:35 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1D0416A4CE for ; Tue, 3 Feb 2004 03:18:35 -0800 (PST) Received: from relay.gufi.org (civetta.gufi.org [212.110.23.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06A3043D2D for ; Tue, 3 Feb 2004 03:18:34 -0800 (PST) (envelope-from ale@FreeBSD.org) Received: from server.alexdupre.com (host245-49.pool8288.interbusiness.it [82.88.49.245]) by relay.gufi.org (Postfix) with ESMTP id C011C20F82 for ; Tue, 3 Feb 2004 12:18:31 +0100 (CET) Received: from FreeBSD.org (thunder.alexdupre.com [192.168.0.101]) i13BIBw0036282; Tue, 3 Feb 2004 12:18:31 +0100 (CET) (envelope-from ale@FreeBSD.org) Message-ID: <401F8373.5000900@FreeBSD.org> Date: Tue, 03 Feb 2004 12:18:11 +0100 From: Alex Dupre User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Devon H. O'Dell" References: <401F80EB.6030707@sitetronics.com> In-Reply-To: <401F80EB.6030707@sitetronics.com> X-Enigmail-Version: 0.82.4.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@FreeBSD.org Subject: Re: Line limitations with dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2004 11:18:35 -0000 Devon H. O'Dell wrote: > First of all -- my understanding of dummynet is that it works on a > per-connection basis. For instance, if I limit a host to 30KB/s in an > attempt to get the host to not exceed 300KB/s total transfer, and 11 > people start transferring, my plain is foiled. Uh? Look at ipfw(4), section "TRAFFIC SHAPER (DUMMYNET) CONFIGURATION". You can limit the total bandwidth using a pipe. -- Alex Dupre From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 3 03:36:47 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B447816A4CE for ; Tue, 3 Feb 2004 03:36:47 -0800 (PST) Received: from amsfep16-int.chello.nl (amsfep16-int.chello.nl [213.46.243.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10F7A43D2D for ; Tue, 3 Feb 2004 03:36:44 -0800 (PST) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([62.163.150.222]) by amsfep16-int.chello.nl (InterMail vM.6.00.05.02 201-2115-109-103-20031105) with ESMTP id <20040203113642.GCOD1937.amsfep16-int.chello.nl@sitetronics.com>; Tue, 3 Feb 2004 12:36:42 +0100 Message-ID: <401F8773.1020703@sitetronics.com> Date: Tue, 03 Feb 2004 12:35:15 +0100 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo References: <401F80EB.6030707@sitetronics.com> <20040203031252.A60217@xorpc.icir.org> In-Reply-To: <20040203031252.A60217@xorpc.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: Line limitations with dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2004 11:36:47 -0000 Luigi Rizzo wrote: > no, this is incorrect. By using 'mask's on a pipe, you can set > the granularity of operation as you like -- per connection, > per host, per group of services, etc. etc. > > See the ipfw manpage. > > cheers > luigi Thanks, Luigi, I must have missed this part :) Reading over it again answers my question :) Kind regards, Devon H. O'Dell From owner-freebsd-ipfw@FreeBSD.ORG Wed Feb 4 03:28:12 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E726016A4CE for ; Wed, 4 Feb 2004 03:28:12 -0800 (PST) Received: from tomoyo.MyBSD.org.my (duke.void.net.my [202.157.183.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9ADED43D1F for ; Wed, 4 Feb 2004 03:28:10 -0800 (PST) (envelope-from drl@void.net.my) Received: from void.net.my (unknown [3ffe:80d0:ff11:c:80::]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tomoyo.MyBSD.org.my (Postfix) with ESMTP id 4079E6CC1F; Wed, 4 Feb 2004 19:31:20 +0800 (MYT) Date: Wed, 4 Feb 2004 19:28:06 +0800 From: Darryl Yeoh To: "Umar Draz" Message-Id: <20040204192806.0636123f.drl@void.net.my> In-Reply-To: References: X-Mailer: Sylpheed version 0.9.8a (GTK+ 1.2.10; i386-portbld-freebsd4.7) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW (Biggner) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2004 11:28:13 -0000 On Sat, 24 Jan 2004 05:01:56 +0000 "Umar Draz" wrote: > hi > > i am a new user of freeBSD. > > I have a server of Linux 7.3 with dsl connection. Now on Linux 7.3 i have > configure Squid as transparent and also Linux 7.3 running as a Gatway. > > i have use these command for configure transparent Proxy for my users > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT > --to-port 8080 > iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 202.147.x.x > > now its running fine. Every Thing is fine. My Client Just add my > linux 7.3's ip as a Gateway and DNS (and access internet) > > now i want Linux 7.3 replace with FreeBSD 4.8. so there is no > iptables in freeBSD. there is ipfw plz tel me how i can configure > my freebsd machine that my freebsd machine can work as a gateway > and also running squid as a transparent. > > thanks and regards > > Umar Draz > > _________________________________________________________________ > Help STOP SPAM with the new MSN 8 and get 2 months FREE* > http://join.msn.com/?page=features/junkmail > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" Hello, If everything is working fine for you with Linux, why do you need to change it to something else ? > Best regards, Darryl Yeoh From owner-freebsd-ipfw@FreeBSD.ORG Wed Feb 4 07:30:14 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F1B016A4CE for ; Wed, 4 Feb 2004 07:30:14 -0800 (PST) Received: from pd3mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id D59E143D1F for ; Wed, 4 Feb 2004 07:30:12 -0800 (PST) (envelope-from sdrew@shaw.ca) Received: from pd5mr1so.prod.shaw.ca (pd5mr1so-qfe3.prod.shaw.ca [10.0.141.232]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0HSK00EA2GC0CM@l-daemon> for freebsd-ipfw@freebsd.org; Wed, 04 Feb 2004 08:28:48 -0700 (MST) Received: from pn2ml2so.prod.shaw.ca (pn2ml2so-qfe0.prod.shaw.ca [10.0.121.146]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0HSK005CJGC0B0@l-daemon> for freebsd-ipfw@freebsd.org; Wed, 04 Feb 2004 08:28:48 -0700 (MST) Received: from stevehome (h68-146-82-16.cg.shawcable.net [68.146.82.16]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0HSK0005SGC0V3@l-daemon> for freebsd-ipfw@freebsd.org; Wed, 04 Feb 2004 08:28:48 -0700 (MST) Date: Wed, 04 Feb 2004 08:28:42 -0700 From: Steve Drew In-reply-to: <20040204192806.0636123f.drl@void.net.my> To: 'Umar Draz' Message-id: <0HSK0005TGC0V3@l-daemon> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Thread-index: AcPrEgHhoQsEGSeLTt6cX7d7sx4H2QAIRRwg cc: freebsd-ipfw@freebsd.org Subject: RE: IPFW (Biggner) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2004 15:30:14 -0000 Squid listens on inside interface then add ipfw rule as follows: ipfw add 100 fwd , tcp from any to any 80 in recv Of course you still need the correct squid settings to handle the transparent connection as you would of done under linux. /Steve. -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Darryl Yeoh Sent: Wednesday, February 04, 2004 4:28 AM To: Umar Draz Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW (Biggner) On Sat, 24 Jan 2004 05:01:56 +0000 "Umar Draz" wrote: > hi > > i am a new user of freeBSD. > > I have a server of Linux 7.3 with dsl connection. Now on Linux 7.3 i have > configure Squid as transparent and also Linux 7.3 running as a Gatway. > > i have use these command for configure transparent Proxy for my users > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT > --to-port 8080 > iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 202.147.x.x > > now its running fine. Every Thing is fine. My Client Just add my > linux 7.3's ip as a Gateway and DNS (and access internet) > > now i want Linux 7.3 replace with FreeBSD 4.8. so there is no > iptables in freeBSD. there is ipfw plz tel me how i can configure > my freebsd machine that my freebsd machine can work as a gateway > and also running squid as a transparent. > > thanks and regards > > Umar Draz > > _________________________________________________________________ > Help STOP SPAM with the new MSN 8 and get 2 months FREE* > http://join.msn.com/?page=features/junkmail > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" Hello, If everything is working fine for you with Linux, why do you need to change it to something else ? > Best regards, Darryl Yeoh _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 6 03:32:43 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDE0516A53B for ; Fri, 6 Feb 2004 03:32:42 -0800 (PST) Received: from kac.cnri.dit.ie (kac.cnri.dit.ie [147.252.43.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED68643D41 for ; Fri, 6 Feb 2004 03:32:39 -0800 (PST) (envelope-from orly@kac.cnri.dit.ie) Received: from kac.cnri.dit.ie (localhost.cnri.dit.ie [127.0.0.1]) by kac.cnri.dit.ie (8.12.10/8.12.9) with ESMTP id i16BWb5M088382; Fri, 6 Feb 2004 11:32:37 GMT (envelope-from orly@kac.cnri.dit.ie) Received: (from orly@localhost) by kac.cnri.dit.ie (8.12.10/8.12.4/Submit) id i16BWbaH088381; Fri, 6 Feb 2004 11:32:37 GMT Date: Fri, 6 Feb 2004 11:32:37 +0000 From: Orla McGann To: Luigi Rizzo Message-ID: <20040206113236.A88002@kac.cnri.dit.ie> References: <20040114130122.A86000@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040114130122.A86000@xorpc.icir.org> User-Agent: Mutt/1.3.22.1i cc: ipfw@freebsd.org Subject: Re: Request for review: ipfw2 for IPV6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 11:32:43 -0000 On Wed, Jan 14, 2004 at 01:01:22PM -0800, Luigi Rizzo wrote: Hi Luigi, > We would really appreciate testing by someone who is a kernel programmer > who has access to ipv6 network and some knowledge of the ipv6 code, > and thus can give advice on how to improve this code, and possibly > suggest fixes for the trivial bugs that are there. I installed the patch on my machine, which is running 4.9 STABLE so I had to add "options IPFW2" to my kernel. My machine already had ipfw getting rules from my rc.firewall script, so I noticed the following problems straight away: 1. Rules that say "ip" mean allow "all", so they should be printed as allow all when you do an ipfw show, so it is not mistaken for solely ipv4 traffic. 2. Some ipv4 rules appeared as "me6" In /usr/src/sbin/ipfw/ipfw2.c there is the following code: strncmp(av, "ipv6", strlen(av)) which I think should be strcmp(av, "ipv6") because the strncmp() function is matching "ip" instead of "ipv6". A similar problem occured where it matched "me6" instead of "me", for the same reason given above. 3. Autoconfiguration of my (ipv6) address didn't work, so I would suggest that default rules for neighbour discovery should be added to the rc.firewall script. ipfw 400 allow ipv6-icmp from :: to ff02::/16 ipfw 500 allow ipv6-icmp from fe80::/10 to fe80::/10 ipfw 600 allow ipv6-icmp from fe80::/10 to ff02::/16 4. You can't specify a netmask of /0 for ipv6; it gets interpreted as "me6" in the rules. I got around this by adding the following rules, but it's not ideal: ipfw allow all from ::/1 to ::/1 ipfw allow all from 8000::/1 to 8000::/1 ipfw allow from 8000::/1 to ::/1 ipfw allow from ::/1 to 8000::/1 5. Perhaps there should be no distinction between "me" and "me6" (i.e. have me mean either ipv4 or ipv6), or else there should be an "any6" keyword if there is to be a "me6". 6. There should probably be an option to have ipfw2 only handle ipv4 traffic (and allow ip6fw to firewall ipv6 traffic). 7. The error messages are a bit ambiguous. If I give ipfw a rule such as: ipfw allow ipv6 from any to any or ipfw allow from any to any I get the error message -> Unrecognised Option [-1] from but if I use a rule like: ipfw allow ipv4 from any to any I get the error message -> Unrecognised Option [-1] ipv4 > The system _will_ panic if you are trying to use dummynet on > output packets, the reasons of the panic are still to investigate. > Dummynet on the input path seems to work, as well as on layer2. > There might be other bugs, which I would be happy to hear about > as i only did very limited testing. The other thing that I came across is that the fill_icmp6types() and fill_ext6hdr() functions don't get called anywhere in /usr/src/sbin/ipfw/ipfw2.c. I have added some extra code here, but I am still testing it. I will post a diff of my changes once I'm done debugging it. Regards, Orla -- Give a man a fish; you have fed him for today. Teach a man to use the Net and he won't bother you for weeks. From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 6 09:56:41 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB09816A4CE for ; Fri, 6 Feb 2004 09:56:41 -0800 (PST) Received: from franklin-belle.com (adsl-65-68-247-73.dsl.crchtx.swbell.net [65.68.247.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2566E43D39 for ; Fri, 6 Feb 2004 09:56:10 -0800 (PST) (envelope-from jacks@sage-american.com) Received: from sagea (sagea.sage-american [10.0.0.3]) by franklin-belle.com (8.12.8p2/8.12.8) with SMTP id i16Htt0k002576 for ; Fri, 6 Feb 2004 11:55:55 -0600 (CST) (envelope-from jacks@sage-american.com) Message-Id: <3.0.5.32.20040206115553.01ea6670@10.0.0.15> X-Sender: jacks@10.0.0.15 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 06 Feb 2004 11:55:53 -0600 To: freebsd-ipfw@freebsd.org From: "Jack L. Stone" Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, hits=0.1 required=4.5 tests=AWL autolearn=ham version=2.63-sageame.rules_v3.1 X-Spam-Checker-Version: SpamAssassin 2.63-sageame.rules_v3.1 (2004-01-11) on franklin-belle.com Subject: Syntax to block 38 IPs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 17:56:41 -0000 Am running IPFW on FBSD-4.8p14 For almost a year (or more), one of my servers has been hammered by redalert.com, a service to which I do not subscribe. My efforts to get them to stop has gone ignored. Every night, the server is peppered with their "taps". Thus, it's time to use a firewall rule to stop it. The problem is that they use a broad range of source IPs. The list I show here is only for the past 4 days. I don't want to block any innocent IPs and wondered how I could best create a rule(s) to stop the 38 IPs below without 38 individual lines in the rules...?? Appreciate help! Thanks! 209.102.202.131 209.102.202.132 209.102.202.133 209.102.202.134 209.102.202.135 209.102.202.136 209.102.202.137 209.102.202.151 209.102.202.152 209.102.202.153 209.102.202.154 209.102.202.155 209.102.202.156 209.102.202.157 209.102.202.165 65.194.51.131 65.194.51.132 65.194.51.133 65.194.51.134 65.194.51.135 65.194.51.136 65.194.51.137 65.194.51.151 65.194.51.152 65.194.51.153 65.194.51.154 65.194.51.155 65.194.51.156 65.194.51.157 65.194.51.165 66.226.213.131 66.226.213.132 66.226.213.133 66.226.213.134 66.226.213.135 66.226.213.136 66.226.213.137 66.226.213.165 Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com jacks@sage-american.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 6 10:00:47 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 98C6016A4CE for ; Fri, 6 Feb 2004 10:00:47 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58D5B43D39 for ; Fri, 6 Feb 2004 10:00:45 -0800 (PST) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i16I0jAF062777; Fri, 6 Feb 2004 10:00:45 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i16I0jfe062776; Fri, 6 Feb 2004 10:00:45 -0800 (PST) (envelope-from rizzo) Date: Fri, 6 Feb 2004 10:00:45 -0800 From: Luigi Rizzo To: "Jack L. Stone" Message-ID: <20040206100045.A62737@xorpc.icir.org> References: <3.0.5.32.20040206115553.01ea6670@10.0.0.15> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3.0.5.32.20040206115553.01ea6670@10.0.0.15>; from jacks@sage-american.com on Fri, Feb 06, 2004 at 11:55:53AM -0600 cc: freebsd-ipfw@freebsd.org Subject: Re: Syntax to block 38 IPs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 18:00:47 -0000 use ipfw2 -- see the address set syntax in 'man ipfw' luigi On Fri, Feb 06, 2004 at 11:55:53AM -0600, Jack L. Stone wrote: > Am running IPFW on FBSD-4.8p14 > > For almost a year (or more), one of my servers has been hammered by > redalert.com, a service to which I do not subscribe. My efforts to get them > to stop has gone ignored. Every night, the server is peppered with their > "taps". > > Thus, it's time to use a firewall rule to stop it. The problem is that they > use a broad range of source IPs. The list I show here is only for the past > 4 days. I don't want to block any innocent IPs and wondered how I could > best create a rule(s) to stop the 38 IPs below without 38 individual lines > in the rules...?? > > Appreciate help! Thanks! > > 209.102.202.131 > 209.102.202.132 > 209.102.202.133 > 209.102.202.134 > 209.102.202.135 > 209.102.202.136 > 209.102.202.137 > 209.102.202.151 > 209.102.202.152 > 209.102.202.153 > 209.102.202.154 > 209.102.202.155 > 209.102.202.156 > 209.102.202.157 > 209.102.202.165 > 65.194.51.131 > 65.194.51.132 > 65.194.51.133 > 65.194.51.134 > 65.194.51.135 > 65.194.51.136 > 65.194.51.137 > 65.194.51.151 > 65.194.51.152 > 65.194.51.153 > 65.194.51.154 > 65.194.51.155 > 65.194.51.156 > 65.194.51.157 > 65.194.51.165 > 66.226.213.131 > 66.226.213.132 > 66.226.213.133 > 66.226.213.134 > 66.226.213.135 > 66.226.213.136 > 66.226.213.137 > 66.226.213.165 > > > Best regards, > Jack L. Stone, > Administrator > > Sage American > http://www.sage-american.com > jacks@sage-american.com > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 6 10:09:59 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7738916A4CE for ; Fri, 6 Feb 2004 10:09:59 -0800 (PST) Received: from mail.sandvine.com (sandvine.com [199.243.201.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id C894143D46 for ; Fri, 6 Feb 2004 10:09:57 -0800 (PST) (envelope-from don@sandvine.com) Received: by mail.sandvine.com with Internet Mail Service (5.5.2657.72) id ; Fri, 6 Feb 2004 13:09:56 -0500 Message-ID: From: Don Bowman To: "'Jack L. Stone'" , freebsd-ipfw@freebsd.org Date: Fri, 6 Feb 2004 13:09:48 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="iso-8859-1" Subject: RE: Syntax to block 38 IPs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 18:09:59 -0000 From: Jack L. Stone [mailto:jacks@sage-american.com] > > Am running IPFW on FBSD-4.8p14 > > For almost a year (or more), one of my servers has been hammered by > redalert.com, a service to which I do not subscribe. My > efforts to get them > to stop has gone ignored. Every night, the server is peppered > with their > "taps". > > Thus, it's time to use a firewall rule to stop it. The > problem is that they > use a broad range of source IPs. The list I show here is only > for the past > 4 days. I don't want to block any innocent IPs and wondered > how I could > best create a rule(s) to stop the 38 IPs below without 38 > individual lines > in the rules...?? > > Appreciate help! Thanks! deny ip from { 209.102.202.131, 209.102.202.132, ...} to any this uses IPFW2 I think. from the shell, remember to escape the { as \{. you could also send a RST i suppose, but just dropping it is best. From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 6 10:13:28 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B044516A4CE for ; Fri, 6 Feb 2004 10:13:28 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id D13B143D46 for ; Fri, 6 Feb 2004 10:13:26 -0800 (PST) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i16IDQAF063380; Fri, 6 Feb 2004 10:13:26 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i16IDQuR063379; Fri, 6 Feb 2004 10:13:26 -0800 (PST) (envelope-from rizzo) Date: Fri, 6 Feb 2004 10:13:26 -0800 From: Luigi Rizzo To: Don Bowman Message-ID: <20040206101326.B62986@xorpc.icir.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from don@sandvine.com on Fri, Feb 06, 2004 at 01:09:48PM -0500 cc: "'Jack L. Stone'" cc: freebsd-ipfw@freebsd.org Subject: Re: Syntax to block 38 IPs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 18:13:28 -0000 On Fri, Feb 06, 2004 at 01:09:48PM -0500, Don Bowman wrote: ... > deny ip from { 209.102.202.131, 209.102.202.132, ...} to any this is still inefficient. Better to use deny ip from 209.102.202.0/24{131,132,157,190,1,86} ... which uses a bitmap to represent the list of hosts and has constant processing time as opposed to having to scan a list. cheers luigi > this uses IPFW2 I think. > > from the shell, remember to escape the { as \{. > > you could also send a RST i suppose, but just dropping it is > best. > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 6 10:54:19 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF21416A4CE for ; Fri, 6 Feb 2004 10:54:19 -0800 (PST) Received: from franklin-belle.com (adsl-65-68-247-73.dsl.crchtx.swbell.net [65.68.247.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56D6F43D31 for ; Fri, 6 Feb 2004 10:54:16 -0800 (PST) (envelope-from jacks@sage-american.com) Received: from sagea (sagea.sage-american [10.0.0.3]) by franklin-belle.com (8.12.8p2/8.12.8) with SMTP id i16IsE0k003010; Fri, 6 Feb 2004 12:54:15 -0600 (CST) (envelope-from jacks@sage-american.com) Message-Id: <3.0.5.32.20040206125411.01e841f0@10.0.0.15> X-Sender: jacks@10.0.0.15 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 06 Feb 2004 12:54:11 -0600 To: Luigi Rizzo , Don Bowman From: "Jack L. Stone" In-Reply-To: <20040206101326.B62986@xorpc.icir.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, hits=0.2 required=4.5 tests=AWL,TW_PF autolearn=ham version=2.63-sageame.rules_v3.1 X-Spam-Checker-Version: SpamAssassin 2.63-sageame.rules_v3.1 (2004-01-11) on franklin-belle.com cc: freebsd-ipfw@freebsd.org Subject: Re: Syntax to block 38 IPs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 18:54:19 -0000 TopPost: Thanks for the quick responses. So, I gather under IPFW(#1), it's either 38 lines or upgrade to IPFW2 I haven't had time to study IPFW2 too well, although I know how to upgrade. A follow-up question is that, if I do upgrade, will IPFW2 still use my old rules until I can get around to tuning/tweaking...?? At 10:13 AM 2.6.2004 -0800, Luigi Rizzo wrote: >On Fri, Feb 06, 2004 at 01:09:48PM -0500, Don Bowman wrote: >... >> deny ip from { 209.102.202.131, 209.102.202.132, ...} to any > >this is still inefficient. Better to use > > deny ip from 209.102.202.0/24{131,132,157,190,1,86} ... > >which uses a bitmap to represent the list of hosts and has constant >processing time as opposed to having to scan a list. > > cheers > luigi > >> this uses IPFW2 I think. >> >> from the shell, remember to escape the { as \{. >> >> you could also send a RST i suppose, but just dropping it is >> best. >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com jacks@sage-american.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 6 12:01:11 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E7D9E16A4CE for ; Fri, 6 Feb 2004 12:01:11 -0800 (PST) Received: from mail.park7.number.ru (host212-5-99-220.izmaylovo.ru [212.5.99.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43D9443D4C for ; Fri, 6 Feb 2004 12:01:01 -0800 (PST) (envelope-from blacksir@number.ru) Received: from blacksir.local ([192.168.2.166] helo=blacksir) by mail.park7.number.ru with smtp (Exim 4.30 #0 (Slackware)) id 1ApC9S-000FGW-Lr; Fri, 06 Feb 2004 23:00:34 +0300 From: "Vasenin Alexander aka BlackSir" To: "Jack L. Stone" , "Luigi Rizzo" , "Don Bowman" Date: Fri, 6 Feb 2004 22:59:03 +0300 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 In-Reply-To: <3.0.5.32.20040206125411.01e841f0@10.0.0.15> Importance: Normal cc: freebsd-ipfw@freebsd.org Subject: RE: Syntax to block 38 IPs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 20:01:12 -0000 To upgrade to IPFW2 you need to recompile the kernel with IPFW2 option, recompile 'libalias' library and 'ipfw' control program. man ipfw would help. I'm not sure, but I suppose IPFW2 don't marked STABLE for 4.x With ipfw1 there are 2 ways to sovle your problem: 1. Just add 38 lines to your rule list and forget about it 2. ipfw deny ip from 209.102.202.0/24 ipfw deny ip from 65.194.51.0/24 > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Jack L. Stone > Sent: Friday, February 06, 2004 9:54 PM > To: Luigi Rizzo; Don Bowman > Cc: freebsd-ipfw@freebsd.org > Subject: Re: Syntax to block 38 IPs > > > TopPost: > Thanks for the quick responses. > > So, I gather under IPFW(#1), it's either 38 lines or upgrade to IPFW2 > > I haven't had time to study IPFW2 too well, although I know how > to upgrade. > A follow-up question is that, if I do upgrade, will IPFW2 still use my old > rules until I can get around to tuning/tweaking...?? > > At 10:13 AM 2.6.2004 -0800, Luigi Rizzo wrote: > >On Fri, Feb 06, 2004 at 01:09:48PM -0500, Don Bowman wrote: > >... > >> deny ip from { 209.102.202.131, 209.102.202.132, ...} to any > > > >this is still inefficient. Better to use > > > > deny ip from 209.102.202.0/24{131,132,157,190,1,86} ... > > > >which uses a bitmap to represent the list of hosts and has constant > >processing time as opposed to having to scan a list. > > > > cheers > > luigi > > > >> this uses IPFW2 I think. > >> > >> from the shell, remember to escape the { as \{. > >> > >> you could also send a RST i suppose, but just dropping it is > >> best. > >> > >> _______________________________________________ > >> freebsd-ipfw@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > Best regards, > Jack L. Stone, > Administrator > > Sage American > http://www.sage-american.com > jacks@sage-american.com > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 6 12:12:14 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1FD416A4CE for ; Fri, 6 Feb 2004 12:12:14 -0800 (PST) Received: from mail.park7.number.ru (host212-5-99-220.izmaylovo.ru [212.5.99.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50A0443D45 for ; Fri, 6 Feb 2004 12:12:13 -0800 (PST) (envelope-from blacksir@number.ru) Received: from blacksir.local ([192.168.2.166] helo=blacksir) by mail.park7.number.ru with smtp (Exim 4.30 #0 (Slackware)) id 1ApCKN-000Gej-1L; Fri, 06 Feb 2004 23:11:51 +0300 From: "Vasenin Alexander aka BlackSir" To: "Jack L. Stone" , "Luigi Rizzo" , "Don Bowman" Date: Fri, 6 Feb 2004 23:10:25 +0300 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 In-Reply-To: Importance: Normal cc: freebsd-ipfw@freebsd.org Subject: RE: Syntax to block 38 IPs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 20:12:14 -0000 Mmmm.... of course 2. ipfw deny ip from 209.102.202.0/24 to any ipfw deny ip from 65.194.51.0/24 to any or 2. ipfw deny ip from 209.102.202.0/24 to me ipfw deny ip from 65.194.51.0/24 to me > > A follow-up question is that, if I do upgrade, will IPFW2 still > use my old > > rules until I can get around to tuning/tweaking...?? In my case(i using ipfw rules to count traffic from our clients. small ISP company) - everything works perfect after upgrade ipfw1->ipfw2 with the same ruleset. From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 6 12:18:06 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AF9616A4CE for ; Fri, 6 Feb 2004 12:18:06 -0800 (PST) Received: from franklin-belle.com (adsl-65-68-247-73.dsl.crchtx.swbell.net [65.68.247.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6978E43D62 for ; Fri, 6 Feb 2004 12:17:34 -0800 (PST) (envelope-from jacks@sage-american.com) Received: from sagea (sagea.sage-american [10.0.0.3]) by franklin-belle.com (8.12.8p2/8.12.8) with SMTP id i16KHV0k003636; Fri, 6 Feb 2004 14:17:32 -0600 (CST) (envelope-from jacks@sage-american.com) Message-Id: <3.0.5.32.20040206141728.01ea93b0@10.0.0.15> X-Sender: jacks@10.0.0.15 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 06 Feb 2004 14:17:28 -0600 To: "Vasenin Alexander aka BlackSir" , "Luigi Rizzo" , "Don Bowman" From: "Jack L. Stone" In-Reply-To: References: <3.0.5.32.20040206125411.01e841f0@10.0.0.15> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, hits=0.2 required=4.5 tests=AWL,TW_PF autolearn=ham version=2.63-sageame.rules_v3.1 X-Spam-Checker-Version: SpamAssassin 2.63-sageame.rules_v3.1 (2004-01-11) on franklin-belle.com cc: freebsd-ipfw@freebsd.org Subject: RE: Syntax to block 38 IPs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 20:18:06 -0000 Thanks, folks for the suggestions. I was planning to do the #2 suggestion here, BUT, a pleasant surprise happened -- I just now received a message from an official who is contacting the ReadAlert team to (hopefully) resolve this issue on their server so the FW won't be necessary. I'll keep an eye on the logs. Now, I'd better begin a more complete study of IPFW2.... At 10:59 PM 2.6.2004 +0300, Vasenin Alexander aka BlackSir wrote: >To upgrade to IPFW2 you need to recompile the kernel with IPFW2 option, >recompile 'libalias' library and 'ipfw' control program. man ipfw would >help. I'm not sure, but I suppose IPFW2 don't marked STABLE for 4.x >With ipfw1 there are 2 ways to sovle your problem: >1. Just add 38 lines to your rule list and forget about it >2. ipfw deny ip from 209.102.202.0/24 > ipfw deny ip from 65.194.51.0/24 > >> -----Original Message----- >> From: owner-freebsd-ipfw@freebsd.org >> [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Jack L. Stone >> Sent: Friday, February 06, 2004 9:54 PM >> To: Luigi Rizzo; Don Bowman >> Cc: freebsd-ipfw@freebsd.org >> Subject: Re: Syntax to block 38 IPs >> >> >> TopPost: >> Thanks for the quick responses. >> >> So, I gather under IPFW(#1), it's either 38 lines or upgrade to IPFW2 >> >> I haven't had time to study IPFW2 too well, although I know how >> to upgrade. >> A follow-up question is that, if I do upgrade, will IPFW2 still use my old >> rules until I can get around to tuning/tweaking...?? >> >> At 10:13 AM 2.6.2004 -0800, Luigi Rizzo wrote: >> >On Fri, Feb 06, 2004 at 01:09:48PM -0500, Don Bowman wrote: >> >... >> >> deny ip from { 209.102.202.131, 209.102.202.132, ...} to any >> > >> >this is still inefficient. Better to use >> > >> > deny ip from 209.102.202.0/24{131,132,157,190,1,86} ... >> > >> >which uses a bitmap to represent the list of hosts and has constant >> >processing time as opposed to having to scan a list. >> > >> > cheers >> > luigi >> > >> >> this uses IPFW2 I think. >> >> >> >> from the shell, remember to escape the { as \{. >> >> >> >> you could also send a RST i suppose, but just dropping it is >> >> best. >> >> >> >> _______________________________________________ >> >> freebsd-ipfw@freebsd.org mailing list >> >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > >> > >> >> Best regards, >> Jack L. Stone, >> Administrator >> >> Sage American >> http://www.sage-american.com >> jacks@sage-american.com >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > > Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com jacks@sage-american.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 6 12:31:03 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08F3016A4CE for ; Fri, 6 Feb 2004 12:31:03 -0800 (PST) Received: from franklin-belle.com (adsl-65-68-247-73.dsl.crchtx.swbell.net [65.68.247.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F27543D54 for ; Fri, 6 Feb 2004 12:30:46 -0800 (PST) (envelope-from jacks@sage-american.com) Received: from sagea (sagea.sage-american [10.0.0.3]) by franklin-belle.com (8.12.8p2/8.12.8) with SMTP id i16KTu0k003668; Fri, 6 Feb 2004 14:29:57 -0600 (CST) (envelope-from jacks@sage-american.com) Message-Id: <3.0.5.32.20040206142953.01ea93b0@10.0.0.15> X-Sender: jacks@10.0.0.15 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 06 Feb 2004 14:29:53 -0600 To: "Vasenin Alexander aka BlackSir" , "Luigi Rizzo" , "Don Bowman" From: "Jack L. Stone" In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, hits=0.5 required=4.5 tests=AWL,J_CHICKENPOX_41,TW_PF autolearn=ham version=2.63-sageame.rules_v3.1 X-Spam-Checker-Version: SpamAssassin 2.63-sageame.rules_v3.1 (2004-01-11) on franklin-belle.com cc: freebsd-ipfw@freebsd.org Subject: RE: Syntax to block 38 IPs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 20:31:03 -0000 Vasenin: Thanks again! My other email crossed with this and looks like RedAlert may fix the problem themselves -- would be nice and I can forget this one. I want to get busy moving on up to IPFW2 and make use of some of the great new syntax.... At 11:10 PM 2.6.2004 +0300, Vasenin Alexander aka BlackSir wrote: >Mmmm.... of course >2. ipfw deny ip from 209.102.202.0/24 to any > ipfw deny ip from 65.194.51.0/24 to any > >or >2. ipfw deny ip from 209.102.202.0/24 to me > ipfw deny ip from 65.194.51.0/24 to me > >> > A follow-up question is that, if I do upgrade, will IPFW2 still >> use my old >> > rules until I can get around to tuning/tweaking...?? >In my case(i using ipfw rules to count traffic from our clients. small ISP >company) - everything works perfect after upgrade ipfw1->ipfw2 with the same >ruleset. > > Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com jacks@sage-american.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 6 16:24:17 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD64016A4CE for ; Fri, 6 Feb 2004 16:24:17 -0800 (PST) Received: from conversation.bsdunix.ch (zux187-250.adsl.green.ch [80.254.187.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A81743D31 for ; Fri, 6 Feb 2004 16:24:15 -0800 (PST) (envelope-from turbo23@gmx.net) Received: from gmx.net (023.catv106.lgt01.lan.ch [62.204.106.23]) (authenticated bits=0)i170NJsA090935 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 7 Feb 2004 01:23:23 +0100 (CET) (envelope-from turbo23@gmx.net) Message-ID: <40243129.7060400@gmx.net> Date: Sat, 07 Feb 2004 01:28:25 +0100 From: Thomas Vogt User-Agent: Mozilla Thunderbird 0.5b (Windows/20040204) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.9 required=5.0 tests=FROM_ENDS_IN_NUMS autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on conversation.bsdunix.ch Subject: ipfw2/dummynet set new mss on thy fly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2004 00:24:17 -0000 Hi Is it possible to modify the mss with ipfw2/dummynet? This is necessary to fix wrong window implementations for example for adsl providers. Something like "modify mss=1452 tcp from any to any out recv em0 xmit em1 tcpflags syn". (Of course this string is wrong, it's just to give you an impression). I know there is tcpmssd port but it uses divert. I've to modify every packet on gigabit lan (at least 200mb/s traffic). So tcpmssd is a bit to slow. We already have a ipfw1 patch and It's not that difficult to port it to ipfw2. But I'm not sure if ipfw2/dummynet already have something similar implemented by default. Any hints? cheers, Thomas From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 6 17:11:35 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DB1C16A4CE for ; Fri, 6 Feb 2004 17:11:35 -0800 (PST) Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0758F43D1F for ; Fri, 6 Feb 2004 17:11:34 -0800 (PST) (envelope-from louie@whizzo.transsys.com) Received: from whizzo.transsys.com (#6@localhost [127.0.0.1]) by whizzo.transsys.com (8.12.10/8.12.10) with ESMTP id i171BX0R019173; Fri, 6 Feb 2004 20:11:33 -0500 (EST) (envelope-from louie@whizzo.transsys.com) Message-Id: <200402070111.i171BX0R019173@whizzo.transsys.com> X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: Thomas Vogt X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg From: "Louis A. Mamakos" References: <40243129.7060400@gmx.net> In-reply-to: Your message of "Sat, 07 Feb 2004 01:28:25 +0100." <40243129.7060400@gmx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 06 Feb 2004 20:11:33 -0500 Sender: louie@TransSys.COM cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2/dummynet set new mss on thy fly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2004 01:11:35 -0000 Can't you write a rule that only diverts packets with the SYN bit set? It's the only time a TCP MSS option is allowed to be set. It doesn't seem like there's any reason to send all the traffic through tcpmssd. (And the problem isn't a "wrong" windows implementation, it's broken Path MTU discovery due to overzelous filtering of ICMP.) louie > Hi > > Is it possible to modify the mss with ipfw2/dummynet? This is necessary > to fix wrong window implementations for example for adsl providers. > > Something like "modify mss=1452 tcp from any to any out recv em0 xmit > em1 tcpflags syn". (Of course this string is wrong, it's just to give > you an impression). > > I know there is tcpmssd port but it uses divert. I've to modify every > packet on gigabit lan (at least 200mb/s traffic). So tcpmssd is a bit to > slow. > > We already have a ipfw1 patch and It's not that difficult to port it to > ipfw2. But I'm not sure if ipfw2/dummynet already have something similar > implemented by default. > Any hints? > > cheers, > Thomas > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sat Feb 7 18:30:51 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E58416A4D9 for ; Sat, 7 Feb 2004 18:30:51 -0800 (PST) Received: from oahu.WURLDLINK.NET (oahu.wurldlink.net [66.193.144.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id D74D843D2F for ; Sat, 7 Feb 2004 18:30:50 -0800 (PST) (envelope-from vince@oahu.WURLDLINK.NET) Received: from oahu.WURLDLINK.NET (vince@localhost.WURLDLINK.NET [127.0.0.1]) by oahu.WURLDLINK.NET (8.12.9/8.12.9) with ESMTP id i182UTqQ002979; Sat, 7 Feb 2004 16:30:44 -1000 (HST) Received: from localhost (vince@localhost)i182USXG002976; Sat, 7 Feb 2004 16:30:28 -1000 (HST) Date: Sat, 7 Feb 2004 16:30:28 -1000 (HST) From: Vincent Poy To: ipfw@FreeBSD.ORG Message-ID: <20040207161857.C8264-100000@oahu.WURLDLINK.NET> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: FreeBSD Traffic Shaping help needed X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Feb 2004 02:30:51 -0000 Greetings all: I have a ADSL connection where the upstream pipe is smaller than the downstream with it at 1.5Mbps/384kbps now and will be upgrading to 6Mbps/608kbps soon. The issue I'm having is that whenever I upload, it fills the upstream to full capacity and the downstream would lag as the ACKs can't be send back in time. I only have one interface (xl0) on my notebook so what I want to do is exclude the traffic between 209.204.138.224/29 and 192.168.0.0/16 from being part of the three queues shown below as the IP ranges are all local on the Cisco Catalyst Gigabit Ethernet switch and the FreeBSD box is already functioning correctly as a NAT router with these options in the KERNEL config: options IPFIREWALL options IPDIVERT options DUMMYNET options BRIDGE This is what my script looks like so far: ipfw enable one_pass ipfw add pipe 1 config bw 384Kbit/s ipfw add queue 1 all from any to any out xmit xl0 ipfw add queue 1 config pipe 1 weight 20 ipfw add allow all from 192.168.0.0/16 to 192.168.0.0/16 ipfw add allow all from 192.168.0.0/16 to 209.204.138.224/29 ipfw add allow all from 209.204.138.224/29 to 209.204.138.224/29 ipfw add allow all from 209.204.138.224/29 to 209.204.138.224/29 ipfw add queue 1 from any to any ipfw add allow all from 192.168.0.0/16 to 192.168.0.0/16 ipfw add allow all from 192.168.0.0/16 to 209.204.138.224/29 ipfw add allow all from 209.204.138.224/29 to 209.204.138.224/29 ipfw add allow all from 209.204.138.224/29 to 209.204.138.224/29 ipfw add queue 2 from any to any ipfw add queue 2 tcp from any to any 22 out xmit xl0 ipfw add queue 2 udp from any to any out xmit xl0 ipfw add queue 2 config pipe 1 weight 25 ipfw add allow all from 192.168.0.0/16 to 192.168.0.0/16 ipfw add allow all from 192.168.0.0/16 to 209.204.138.224/29 ipfw add allow all from 209.204.138.224/29 to 209.204.138.224/29 ipfw add allow all from 209.204.138.224/29 to 209.204.138.224/29 ipfw add queue 3 from any to any ipfw add queue 3 tcp tcpflags ack iplen 0-80 from any to any out xmit xl0 ipfw add queue 3 config pipe 1 weight 30 Am I doing this correctly since how do I exclude the define IP's only from each of the 3 individual queues? Thanks! Cheers, Vince - vince@WURLDLINK.NET - Vice President ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] WurldLink Corporation / / / / | / | __] ] San Francisco - Honolulu - Hong Kong / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] Almighty1@IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin From owner-freebsd-ipfw@FreeBSD.ORG Sat Feb 7 18:44:10 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11C4516A4CE for ; Sat, 7 Feb 2004 18:44:10 -0800 (PST) Received: from oahu.WURLDLINK.NET (oahu.wurldlink.net [66.193.144.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id C86BB43D1F for ; Sat, 7 Feb 2004 18:44:09 -0800 (PST) (envelope-from vince@oahu.WURLDLINK.NET) Received: from oahu.WURLDLINK.NET (vince@localhost.WURLDLINK.NET [127.0.0.1]) by oahu.WURLDLINK.NET (8.12.9/8.12.9) with ESMTP id i182hrqQ003192; Sat, 7 Feb 2004 16:44:03 -1000 (HST) Received: from localhost (vince@localhost)i182hq4g003189; Sat, 7 Feb 2004 16:43:52 -1000 (HST) Date: Sat, 7 Feb 2004 16:43:52 -1000 (HST) From: Vincent Poy To: freebsd-ipfw@FreeBSD.ORG Message-ID: <20040207164255.P8264-100000@oahu.WURLDLINK.NET> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: FreeBSD Traffic Shaping help needed X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Feb 2004 02:44:10 -0000 Greetings all: I have a ADSL connection where the upstream pipe is smaller than the downstream with it at 1.5Mbps/384kbps now and will be upgrading to 6Mbps/608kbps soon. The issue I'm having is that whenever I upload, it fills the upstream to full capacity and the downstream would lag as the ACKs can't be send back in time. I only have one interface (xl0) on my notebook so what I want to do is exclude the traffic between 209.204.138.224/29 and 192.168.0.0/16 from being part of the three queues shown below as the IP ranges are all local on the Cisco Catalyst Gigabit Ethernet switch and the FreeBSD box is already functioning correctly as a NAT router with these options in the KERNEL config: options IPFIREWALL options IPDIVERT options DUMMYNET options BRIDGE This is what my script looks like so far: ipfw enable one_pass ipfw add pipe 1 config bw 384Kbit/s ipfw add queue 1 all from any to any out xmit xl0 ipfw add queue 1 config pipe 1 weight 20 ipfw add allow all from 192.168.0.0/16 to 192.168.0.0/16 ipfw add allow all from 192.168.0.0/16 to 209.204.138.224/29 ipfw add allow all from 209.204.138.224/29 to 209.204.138.224/29 ipfw add allow all from 209.204.138.224/29 to 209.204.138.224/29 ipfw add queue 1 from any to any ipfw add allow all from 192.168.0.0/16 to 192.168.0.0/16 ipfw add allow all from 192.168.0.0/16 to 209.204.138.224/29 ipfw add allow all from 209.204.138.224/29 to 209.204.138.224/29 ipfw add allow all from 209.204.138.224/29 to 209.204.138.224/29 ipfw add queue 2 from any to any ipfw add queue 2 tcp from any to any 22 out xmit xl0 ipfw add queue 2 udp from any to any out xmit xl0 ipfw add queue 2 config pipe 1 weight 25 ipfw add allow all from 192.168.0.0/16 to 192.168.0.0/16 ipfw add allow all from 192.168.0.0/16 to 209.204.138.224/29 ipfw add allow all from 209.204.138.224/29 to 209.204.138.224/29 ipfw add allow all from 209.204.138.224/29 to 209.204.138.224/29 ipfw add queue 3 from any to any ipfw add queue 3 tcp tcpflags ack iplen 0-80 from any to any out xmit xl0 ipfw add queue 3 config pipe 1 weight 30 Am I doing this correctly since how do I exclude the define IP's only from each of the 3 individual queues as I noticed it doesn't really specify the queue number? Thanks! Cheers, Vince - vince@WURLDLINK.NET - Vice President ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] WurldLink Corporation / / / / | / | __] ] San Francisco - Honolulu - Hong Kong / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] Almighty1@IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin