From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 16 07:09:33 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A10916A4CE for ; Sun, 16 Jan 2005 07:09:33 +0000 (GMT) Received: from web54507.mail.yahoo.com (web54507.mail.yahoo.com [68.142.225.177]) by mx1.FreeBSD.org (Postfix) with SMTP id CBAA143D1D for ; Sun, 16 Jan 2005 07:09:32 +0000 (GMT) (envelope-from mhtalaee@yahoo.com) Received: (qmail 68630 invoked by uid 60001); 16 Jan 2005 07:09:32 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=nrWuZX2ni2p1/AxCEAOMJFrrLPsQ1Ypg8dPChcXncMGBTm+yXn0s0ylVH1Ts1+YQaijmfX5gmo5rdKswQvQsiOThum0CzWFyyCbYHDLUcbwVh55qbBjSaaVgKVsm778jBtu7WpH7IGCTo5tlZelZ6BDQ9/seBpb87boP6mV+RAQ= ; Message-ID: <20050116070932.68628.qmail@web54507.mail.yahoo.com> Received: from [62.220.96.232] by web54507.mail.yahoo.com via HTTP; Sat, 15 Jan 2005 23:09:32 PST Date: Sat, 15 Jan 2005 23:09:32 -0800 (PST) From: mohammad talaee To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Request For IPFW Doc X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jan 2005 07:09:33 -0000 Hello I am an computer student and I read your forum and want to know more about IPFW. If it's possible for you please send me new informations or benchmark about that. I am researching for my project about security. Thanks alot Talaee (Iran/Tehran) --------------------------------- Do you Yahoo!? Yahoo! Mail - You care about security. So do we. From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 16 16:43:25 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0468116A4CE for ; Sun, 16 Jan 2005 16:43:25 +0000 (GMT) Received: from usw2.natel.net (2b.bz [209.152.117.190]) by mx1.FreeBSD.org (Postfix) with SMTP id 568C243D39 for ; Sun, 16 Jan 2005 16:43:24 +0000 (GMT) (envelope-from WD@US-Webmasters.com) Received: (qmail 38133 invoked from network); 16 Jan 2005 16:43:21 -0000 Received: from batv-01-042.dialup.netins.net (HELO Htebazile.US-Webmasters.com) (216.248.109.43) by us-webmasters.com with SMTP; 16 Jan 2005 16:43:21 -0000 Message-Id: <5.1.0.14.2.20050116103913.0c767850@209.152.117.178> X-Sender: wd@209.152.117.178 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 16 Jan 2005 10:42:46 -0600 To: mohammad talaee From: "W. D." In-Reply-To: <20050116070932.68628.qmail@web54507.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable cc: freebsd-ipfw@freebsd.org Subject: Re: Request For IPFW Doc X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jan 2005 16:43:25 -0000 At 01:09 1/16/2005, mohammad talaee wrote: >Hello >I am an computer student and I read your forum and want to know more about= =20 >IPFW. >If it's possible for you please send me new informations or benchmark= about=20 >that. >I am researching for my project about security. >Thanks alot >Talaee (Iran/Tehran) Here's some info below. Perhaps once you figure it all out, you could write up a "cheatsheet" to help others. http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html http://lists.freebsd.org/pipermail/freebsd-ipfw/ http://marc.theaimsgroup.com/?l=3Dfreebsd-ipfw&r=3D1&w=3D2 http://marc.theaimsgroup.com/?l=3Dfreebsd-ipfw&w=3D2&r=3D1&s=3Dnewbie&q=3Db http://www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html http://www.onlamp.com/pub/a/bsd/2001/05/09/FreeBSD_Basics.html http://freebsd.hanirc.org/holyboard/holyboard.cgi?db=3Dipfw http://www.Google.com/search?q=3D%22ipfw_rules%22+Richard+Caley http://www.Google.com/search?q=3Dipfw+firewall+rules http://www.Google.com/search?q=3D%22ipfw_rules%22 http://www.Google.com/search?q=3Dipfw+firewall+rules+primer http://dva.dyndns.org/faq.html Start Here to Find It Fast!=99 ->= http://www.US-Webmasters.com/best-start-page/ $8.77 Domain Names -> http://domains.us-webmasters.com/ From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 17 11:02:45 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0503F16A4DC for ; Mon, 17 Jan 2005 11:02:45 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E425A43D58 for ; Mon, 17 Jan 2005 11:02:44 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j0HB2iAr071641 for ; Mon, 17 Jan 2005 11:02:44 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j0HB2ifJ071635 for ipfw@freebsd.org; Mon, 17 Jan 2005 11:02:44 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 17 Jan 2005 11:02:44 GMT Message-Id: <200501171102.j0HB2ifJ071635@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 11:02:45 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 17 18:04:35 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64EEB16A4CE for ; Mon, 17 Jan 2005 18:04:35 +0000 (GMT) Received: from smtp-out.hotpop.com (smtp-out.hotpop.com [38.113.3.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F1E143D49 for ; Mon, 17 Jan 2005 18:04:33 +0000 (GMT) (envelope-from bitchat@hotpop.com) Received: from hotpop.com (kubrick.hotpop.com [38.113.3.103]) by smtp-out.hotpop.com (Postfix) with SMTP id 1C01AD001B5 for ; Mon, 17 Jan 2005 18:04:28 +0000 (UTC) Received: from [10.1.1.7] (c90618ac.virtua.com.br [201.6.24.172]) by smtp-3.hotpop.com (Postfix) with ESMTP id 9C30E134F976 for ; Mon, 17 Jan 2005 18:04:24 +0000 (UTC) From: "Adolfo B. Ferreira" To: ipfw@freebsd.org Date: Mon, 17 Jan 2005 16:00:09 -0200 Message-Id: <1105984809.950.12.camel@notebook> Mime-Version: 1.0 X-Mailer: Evolution 2.0.3 X-HotPOP: ----------------------------------------------- Sent By HotPOP.com FREE Email Get your FREE POP email at www.HotPOP.com ----------------------------------------------- Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: PIPE in NATD X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 18:04:35 -0000 Hello Folks, I tried to pipe NATD but I only got errors. I tried pipe with this line: add 10 pipe 10 divert natd ip from any to any in via rl0 I searched in google but I did not find the anwser. I wanna use QoS in all my network clients. How do i do this? Thanks all, Adolfo Bravo Ferreira Admninistrador de Redes / Analista de Segurança / Desenvolvedor Grupo Ferreira Limitada Telefone: 11 50628877 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 17 20:50:01 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FE8B16A4CE for ; Mon, 17 Jan 2005 20:50:01 +0000 (GMT) Received: from borgtech.ca (borgtech.ca [216.187.106.216]) by mx1.FreeBSD.org (Postfix) with ESMTP id E64BF43D45 for ; Mon, 17 Jan 2005 20:49:58 +0000 (GMT) (envelope-from asegu@borgtech.ca) Received: from asegulaptop (unknown [161.53.212.129]) by borgtech.ca (Postfix) with ESMTP id EAE6A54A5; Mon, 17 Jan 2005 20:53:51 +0000 (GMT) From: "Andrew Seguin" To: Date: Mon, 17 Jan 2005 21:49:27 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <1105984809.950.12.camel@notebook> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcT8v47rk6n0P158QqOuBgKozQFPQwAFkdJw Message-Id: <20050117205351.EAE6A54A5@borgtech.ca> cc: "'Adolfo B. Ferreira'" Subject: RE: PIPE in NATD X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 20:50:01 -0000 Ok, I'm far from an expert, but how about #Make traffic coming out of the pipe keep on going through the rules. Sysctl net.inet.ip.fw.one_pass=3D0 Ipfw add 10 pipe 10 ip from any to any Ipfw add 20 divert natd I truly hope this helps, Andrew -----Original Message----- From: owner-freebsd-ipfw@freebsd.org = [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Adolfo B. Ferreira Sent: Monday, January 17, 2005 7:00 PM To: ipfw@freebsd.org Subject: PIPE in NATD Hello Folks, I tried to pipe NATD but I only got errors. I tried pipe with this line: add 10 pipe 10 divert natd ip from any to any in via rl0 I searched in google but I did not find the anwser. I wanna use QoS in all my network clients. How do i do this? Thanks all, Adolfo Bravo Ferreira Admninistrador de Redes / Analista de Seguran=E7a / Desenvolvedor Grupo Ferreira Limitada Telefone: 11 50628877 _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" --=20 No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.13 - Release Date: 1/16/2005 =20 --=20 No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.13 - Release Date: 1/16/2005 =20 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 17 21:11:44 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 773A316A4CE for ; Mon, 17 Jan 2005 21:11:44 +0000 (GMT) Received: from smtpauth09.mail.atl.earthlink.net (smtpauth09.mail.atl.earthlink.net [209.86.89.69]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4064843D5C for ; Mon, 17 Jan 2005 21:11:44 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [83.170.20.100] (helo=[192.168.1.55]) (TLSv1:DES-CBC3-SHA:168) (Exim 4.34) id 1Cqe9v-0001F8-Ui; Mon, 17 Jan 2005 16:11:43 -0500 DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=test1; d=earthlink.net; h=Subject:From:Reply-To:To:Cc:In-Reply-To:References:Content-Type:Organization:Message-Id:Mime-Version:X-Mailer:Date:Content-Transfer-Encoding; b=fYitx35EO9Gz/USudCDHsal23ay/dOda/+sUGqllLLmuo2rbEeqUnPT4t7a/YsDG; From: Martes Wigglesworth To: Andrew Seguin In-Reply-To: <20050117205351.EAE6A54A5@borgtech.ca> References: <20050117205351.EAE6A54A5@borgtech.ca> Content-Type: text/plain Organization: Wiggtekmicro Corporation Message-Id: <1105996037.66573.83.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Tue, 18 Jan 2005 00:11:26 +0300 Content-Transfer-Encoding: 7bit X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd48d29db2bb89c79c009ed0e57c5515687ba2d4e88014a4647c350badd9bab72f9c X-Originating-IP: 83.170.20.100 cc: ipfw@freebsd.org Subject: RE: PIPE in NATD X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 21:11:44 -0000 I usually just add the pipe rulesets after the natd divert rule. I havea 70 host ISP network, that I have on an internal network, with natd andI use dummynet to make sure that all subnets have equal bandwidthaccess. divert rule.... pipe 1 rule ....etc.... -- Respectfully: M.G.W. ASUS M6BN Intel Dothan 1.7Ghz 512MB RAM 15.4" LCD Wireless B/G 10/100/1000 NIC 5.2.1-RELEASE From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 19 13:12:43 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DB3716A4CE for ; Wed, 19 Jan 2005 13:12:43 +0000 (GMT) Received: from otaku.Xtrmntr.org (sauna.silcnet.org [147.175.66.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47EAE43D46 for ; Wed, 19 Jan 2005 13:12:42 +0000 (GMT) (envelope-from techie@Xtrmntr.org) Received: by otaku.Xtrmntr.org (Postfix, from userid 213) id 66D4C1D102; Wed, 19 Jan 2005 14:12:38 +0100 (CET) Date: Wed, 19 Jan 2005 14:12:38 +0100 From: Vladimir Kotal To: freebsd-ipfw@freebsd.org Message-ID: <20050119131238.GA19631@otaku.xtrmntr.org> References: <20041221103650.GC25908@otaku.xtrmntr.org> <20041221104021.GA26902@otaku.xtrmntr.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline In-Reply-To: <20041221104021.GA26902@otaku.xtrmntr.org> User-Agent: Mutt/1.4.2.1i Accept-Languages: cz, sk, en Subject: Re: ipfw2 for IPV6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: vlada@devnull.cz List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jan 2005 13:12:43 -0000 --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline More update on this one: - I've added code which enables IPv6 forwarding functionality - this is confirmed to work with one_pass={0,1} - patch of ip6_forward.c (against 4.10 patch branch) included Latest version of the IPFW2+IPv6+dummynet patch for 4.x is available at http://techie.devnull.cz/ipv6/ipfw2-ipv6-dummynet/ v. --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ip6_forward.c.patch" diff -uNr --exclude-from=exclude src.orig/sys/netinet6/ip6_forward.c src/sys/netinet6/ip6_forward.c --- sys/netinet6/ip6_forward.c Fri Jan 24 06:11:35 2003 +++ sys/netinet6/ip6_forward.c Wed Dec 22 17:55:54 2004 @@ -34,6 +34,7 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_ipfw.h" #include #include @@ -78,7 +79,12 @@ #define IPSEC #endif /* FAST_IPSEC */ +#ifdef IPFW2 +#include +#include +#else #include +#endif #include @@ -113,6 +119,16 @@ #ifdef IPSEC struct secpolicy *sp = NULL; #endif +#ifdef IPFW2 + struct ip_fw_args args; + int i; + + args.eh = NULL; + args.oif = NULL; + args.rule = NULL; + args.divert_rule = 0; + args.next_hop = NULL; +#endif #ifdef IPSEC /* @@ -455,20 +471,6 @@ } /* - * Check with the firewall... - */ - if (ip6_fw_enable && ip6_fw_chk_ptr) { - u_short port = 0; - /* If ipfw says divert, we have to just drop packet */ - if ((*ip6_fw_chk_ptr)(&ip6, rt->rt_ifp, &port, &m)) { - m_freem(m); - goto freecopy; - } - if (!m) - goto freecopy; - } - - /* * Fake scoped addresses. Note that even link-local source or * destinaion can appear, if the originating node just sends the * packet to us (without address resolution for the destination). @@ -513,6 +515,61 @@ in6_clearscope(&ip6->ip6_src); in6_clearscope(&ip6->ip6_dst); #endif + + /* + * Check with the firewall... + * XXX not really sure if it belongs here, but we need origifp ptr + */ +#ifdef IPFW2 + if (fw_enable && IPFW_LOADED) { + args.m = m; + args.oif = rt->rt_ifp; + i = ip_fw_chk_ptr(&args); + m = args.m; + + if ( (i & IP_FW_PORT_DENY_FLAG) || m == NULL) { /* drop */ + if (m) + m_freem(m); /* XXX error = EACCESS; */ + goto freecopy; + } + ip6 = mtod(m, struct ip6_hdr *); /* XXX check if necessary */ +#if 0 + if (off == 0 && dst == old) /* common case */ + goto pass6; +#endif + if (DUMMYNET_LOADED && (i & IP_FW_PORT_DYNT_FLAG) != 0) { + args.dummypar.ro_or = ip6_forward_rt; + args.dummypar.ifp_or = rt->rt_ifp; + args.dummypar.origifp_or = origifp; + args.dummypar.dst_or = *dst; +#if 0 + args.dummypar.flags_or = flags; + args.flags = flags; +#endif + error = ip_dn_io_ptr(m, i & 0xffff, DN_TO_IP6_OUT, + &args); + /* packet was scheduled and it will be possibly + transferred by dummynet_io(), we need to free + copied mbuf and return + */ + goto freecopy; + } + } +#else + if (ip6_fw_enable && ip6_fw_chk_ptr) { + u_short port = 0; + /* If ipfw says divert, we have to just drop packet */ + if ((*ip6_fw_chk_ptr)(&ip6, rt->rt_ifp, &port, &m)) { + m_freem(m); + goto freecopy; + } + if (!m) + goto freecopy; + } +#endif + + + /* * Check if we want to allow this packet to be processed. --MGYHOYXEY6WxJCY8-- From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 22 01:55:13 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 007D416A4CE for ; Sat, 22 Jan 2005 01:55:12 +0000 (GMT) Received: from mail.garlic-breath.net (mail.garlic-breath.net [69.64.37.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 97F6C43D4C for ; Sat, 22 Jan 2005 01:55:12 +0000 (GMT) (envelope-from chrysalis@garlic-breath.net) Received: from homeamd2200 (cpc4-leic8-3-0-cust125.leic.cable.ntl.com [82.19.175.125]) by mail.garlic-breath.net (Mail Daemon) with ESMTP id 71F63974C3B for ; Sat, 22 Jan 2005 01:55:11 +0000 (GMT) From: "Chris" To: Date: Sat, 22 Jan 2005 02:04:57 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcUAIAPyH3l6AY/eQduricmxZ6Crvw== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Message-Id: <20050122015511.71F63974C3B@mail.garlic-breath.net> Subject: check-state,logging and dummynet questions X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jan 2005 01:55:13 -0000 Hi I been using ipfw for a small while now, but have a few concerns I will list below. 1 - Logging - I would like to see the packet size logged so when I am attacked I can diagnose the type of attack more effectively, toher firewalls such as pf and iptables do this, I would also like a option to perhaps rate limit logging so if I am recieving 5000 pps I am not logging 5000 pps. I have used the logamount directive to help this problem. 2 - Dummynet - I would like to rate limit syn packets via packer per second rather then kbit/sec because I currently limit src ip's to 1kbit/sec of tcp syn to help on syn floods but this is still too high, also it would be nice if the interval of the block could be adjustable when dummynet blocks. 3 - keep-state - This is a weird one, I am currently using allow established instead of check-state because if I use check-state everytime I flush the rules I get booted from my ssh session and a load of established connections drop, I understand this is probably intended behaviour since it has to restablish the stateful flag after the flush, is there a way to workaround this for connections that need to stay alive during a rule cycle or even better a way to keep dynamic rules when static rules are flushed. Thanks for your time Chris From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 22 21:30:35 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0873716A4CE for ; Sat, 22 Jan 2005 21:30:35 +0000 (GMT) Received: from out001.verizon.net (out001pub.verizon.net [206.46.170.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A3CC43D2F for ; Sat, 22 Jan 2005 21:30:34 +0000 (GMT) (envelope-from jetman@mycbc.com) Received: from EAGLE ([70.18.34.185]) by out001.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20050122213033.KMIU28025.out001.verizon.net@EAGLE> for ; Sat, 22 Jan 2005 15:30:33 -0600 Message-ID: <009501c500c9$951efe30$7300a8c0@EAGLE> From: "The Jetman" To: "FBSD IPFW" Date: Sat, 22 Jan 2005 16:29:54 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Authentication-Info: Submitted using SMTP AUTH at out001.verizon.net from [70.18.34.185] at Sat, 22 Jan 2005 15:30:29 -0600 Subject: About Network Accounting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jan 2005 21:30:35 -0000 Recently, there was a little thread about network accounting via IPFW and was curious about the efficacy of my own solution. #### x.y.z.14 ${ipfw} add pipe 7 ip from x.y.z.14 to any ${ipfw} pipe 7 config bw 1024Kbit/s queue 50 ${ipfw} add pipe 8 ip from any to x.y.z.14 ${ipfw} pipe 8 config bw 1024Kbit/s queue 50 #### I setup a series of rules for each of a series of real IPs, similar to those shown above, to cap bwidth usage and to provide a series of byte counters that could be captured hourly. This box was a bridge bet the client's internal net and their T1. My CRON job would sit on the working side of a pipe from the 'ipfw -a list' command, then parse each rule for the inbound then outbound byte/packet count. Each inbound/outbound count was then inserted into a SQL UPDATE stmt for each IP. Any IP w/o a set of rules as shown above, would be explicitly inhibited w/ IPFW rules. I inquire bet I've seen a couple of other approaches and was curious if my approach makes sense. BTW, I'm not asking for a solution, nor am I asking for code to complete a project. My code (in Python) is written, is stable, and appears to deliver the desired results. TIA. Later....Jet =============== From the desk of Jethro Wright, III ================ + Beer is proof that God loves us and wants us to be happy. - ============================================== Benjamin Franklin ===