From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 30 11:12:12 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 739DB16A400 for ; Sun, 30 Apr 2006 11:12:12 +0000 (UTC) (envelope-from regisr@pobox.com) Received: from proof.pobox.com (proof.pobox.com [207.106.133.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CAE143D4C for ; Sun, 30 Apr 2006 11:12:11 +0000 (GMT) (envelope-from regisr@pobox.com) Received: from proof (localhost [127.0.0.1]) by proof.pobox.com (Postfix) with ESMTP id 45BF610BE2F for ; Sun, 30 Apr 2006 07:12:11 -0400 (EDT) Received: from crocoite.regix.info (regisr.net1.nerim.net [62.212.109.60]) by proof.sasl.smtp.pobox.com (Postfix) with ESMTP id BCF204309F for ; Sun, 30 Apr 2006 07:12:10 -0400 (EDT) Date: Sun, 30 Apr 2006 13:12:09 +0200 From: regisr To: freebsd-ipfw@freebsd.org Message-Id: <20060430131209.87bf806c.regisr@pobox.com> X-Mailer: Sylpheed version 2.2.4 (GTK+ 2.8.17; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: PR bin/91245 : [patch] ipfw(8) sometimes treat ipv6 input as ipv4 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Apr 2006 11:12:12 -0000 Hi, Is it possible to consider the fix in 6.1 branch too and add it? Thanks -- regisr From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 30 13:57:41 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 197B316A400 for ; Sun, 30 Apr 2006 13:57:41 +0000 (UTC) (envelope-from flag@newluxor.wired.org) Received: from newluxor.wired.org (ip-89-202.sn2.eutelia.it [83.211.89.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C09C43D46 for ; Sun, 30 Apr 2006 13:57:39 +0000 (GMT) (envelope-from flag@newluxor.wired.org) Received: from newluxor.wired.org (localhost [127.0.0.1]) by newluxor.wired.org (8.13.6/8.13.6) with ESMTP id k3UDvacp048335 for ; Sun, 30 Apr 2006 15:57:36 +0200 (CEST) (envelope-from flag@newluxor.wired.org) Received: (from flag@localhost) by newluxor.wired.org (8.13.6/8.13.6/Submit) id k3UDvahU048334 for freebsd-ipfw@freebsd.org; Sun, 30 Apr 2006 15:57:36 +0200 (CEST) (envelope-from flag) Date: Sun, 30 Apr 2006 15:57:36 +0200 From: Paolo Pisati To: FreeBSD_Ipfw Message-ID: <20060430135736.GB48117@tin.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: [6.x patchset] Ipfw nat and libalias modules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Apr 2006 13:57:41 -0000 I just released a new revision of my libalias+ipfw work as a patchset for 6.x, get it here: http://mercurio.srv.dsi.unimi.it/~pisati/libalias/libalias-6.x.tgz To apply it: cp libalias_ipfw.patch /usr/src cd /usr/src patch -p3 < libalias_ipfw.patch then you have to recompile & install: kernel, sbin/ipfw, sbin/natd, sbin/ppp, lib/libalias, sys/modules/ipfw, sys/modules/libalias or simply do a world. With this patch you get: -ipfw nat + redirect + LSNAT support -libalias modules (both in user and kernel land) -for kernel land, all the libalias modules are installed in /boot/kernel as alias_*.ko. -for user land (natd & ppp), modules are shared lib loaded according to /etc/libalias.conf. To reload modules for a known process, just 'kill -HUP $PID' it. -natd & ppp are patched to use libalias modules If your natd/ppp/ipfw behaves strangely after you applied my patch (i.e. active ftp stops working), remember to check libalias modules. Some ipfw examples: ipfw add nat 666 all from any to any via $IF ipfw nat 666 confg ip 192.168.0.1 # nat with a fixed address ipfw nat 666 confg if $IF log # dynamic if addr nat and logging ipfw nat 666 confg if $IF redir_port ... # redirect support with ipfw nat 666 confg if $IF redir_addr ... # linkspec natd syntax, ipfw nat 666 confg if $IF redir_proto ... # LSNAT works too. # different ipfw rules can be redirected to use # the same nat instance ipfw add nat 666 all from $IP1 to any via $IF1 ipfw add nat 666 all from any to any via $IF2 out ipfw add nat 666 all from $IP2 to $IP3 ipfw nat show # see logs ipfw nat show config # nat configuration To load/unload a libalias module (kernel): kldload alias_ftp # active ftp work ok now kldunload alias_ftp To load/unload a libalias module (user): [edit /etc/libalias.conf and add/cut needed modules] kill -HUP $PID For more info see the readme inside the archive. TODO: Not tested on SMP & !i386, logging ability should be improved(right now it's the same as original libalias), documentation should be man-pagified, patchset for 7.x, etcetc bye -- Paolo "le influenze esterne sono troppe, il mondo reale non e' mica quello fatato dei komunisti :-p" - Anonymous Lumbard From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 30 16:57:04 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02C6C16A401 for ; Sun, 30 Apr 2006 16:57:04 +0000 (UTC) (envelope-from flag@newluxor.wired.org) Received: from newluxor.wired.org (ip-89-202.sn2.eutelia.it [83.211.89.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30BDB43D46 for ; Sun, 30 Apr 2006 16:57:02 +0000 (GMT) (envelope-from flag@newluxor.wired.org) Received: from newluxor.wired.org (localhost [127.0.0.1]) by newluxor.wired.org (8.13.6/8.13.6) with ESMTP id k3UGuuli049331; Sun, 30 Apr 2006 18:56:56 +0200 (CEST) (envelope-from flag@newluxor.wired.org) Received: (from flag@localhost) by newluxor.wired.org (8.13.6/8.13.6/Submit) id k3UGuuSM049330; Sun, 30 Apr 2006 18:56:56 +0200 (CEST) (envelope-from flag) Date: Sun, 30 Apr 2006 18:56:56 +0200 From: Paolo Pisati To: Corey Smith Message-ID: <20060430165656.GA49262@tin.it> References: <44526C7C.10208@bonddesk.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44526C7C.10208@bonddesk.com> User-Agent: Mutt/1.4.2.1i Cc: ipfw@freebsd.org Subject: Re: IPTABLES to IPFW for Packet Inspection Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Apr 2006 16:57:04 -0000 On Fri, Apr 28, 2006 at 03:26:52PM -0400, Corey Smith wrote: > Daniel Walker wrote: > >IPTABLES allows for string matching. IPFW does not. I'll > >have to fire up my Ubuntu to do this. > > > This has been brought up before on this list. IPFW does not intend on > ever supporting string matching as a standard feature. The developers > feel that this kind of expensive operation does not belong in the kernel > with IPFW. > > This does not mean that this functionality is impossible to do with > IPFW/freebsd. > > AFAIK String match deny processing should be done using divert(4) > sockets like natd. You use IPFW to divert outgoing DNS requests to your > natd-like (userland) process. This process determines whether or not it > contains your string and blocks the request/response if it does. > > Unfortunately I'm not aware of a userland app that does this today. maybe this functionality could be developed entirely as a libalias module, in that case it will work out of the box for user and kernel land code linked against libalias: natd, ppp, ipfw and ng_nat. The only drawback is that such functionality doesn't belong to libalias at all, so as long as we don't want to turn it into something different, it's not going to happen... -- Paolo From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 30 18:11:42 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC2AD16A400 for ; Sun, 30 Apr 2006 18:11:42 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 28B0F43D46 for ; Sun, 30 Apr 2006 18:11:40 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 17952 invoked by uid 0); 30 Apr 2006 15:12:39 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(201.17.231.143):. Processed in 0.472449 secs); 30 Apr 2006 18:12:39 -0000 Received: from unknown (HELO ?10.69.69.69?) (201.17.231.143) by capeta.freebsdbrasil.com.br with SMTP; 30 Apr 2006 15:12:39 -0300 Message-ID: <4454FDD2.9060201@freebsdbrasil.com.br> Date: Sun, 30 Apr 2006 15:11:30 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051013 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Paolo Pisati References: <44526C7C.10208@bonddesk.com> <20060430165656.GA49262@tin.it> In-Reply-To: <20060430165656.GA49262@tin.it> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Corey Smith , ipfw@freebsd.org Subject: Re: IPTABLES to IPFW for Packet Inspection Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Apr 2006 18:11:42 -0000 Paolo Pisati wrote: > On Fri, Apr 28, 2006 at 03:26:52PM -0400, Corey Smith wrote: > >>Daniel Walker wrote: >> >>>IPTABLES allows for string matching. IPFW does not. I'll >>>have to fire up my Ubuntu to do this. >>> >> >>This has been brought up before on this list. IPFW does not intend on >>ever supporting string matching as a standard feature. The developers >>feel that this kind of expensive operation does not belong in the kernel >>with IPFW. >> >>This does not mean that this functionality is impossible to do with >>IPFW/freebsd. >> >>AFAIK String match deny processing should be done using divert(4) >>sockets like natd. You use IPFW to divert outgoing DNS requests to your >>natd-like (userland) process. This process determines whether or not it >>contains your string and blocks the request/response if it does. >> >>Unfortunately I'm not aware of a userland app that does this today. > > > maybe this functionality could be developed entirely as > a libalias module, in that case it will work out of the box > for user and kernel land code linked against libalias: > > natd, ppp, ipfw and ng_nat. > > The only drawback is that such functionality doesn't belong > to libalias at all, so as long as we don't want to turn it > into something different, it's not going to happen... > I use this funcionality with two different approaches, snortsam and snort_inline. Both work fine for dropping packets. But with none I can do classification (say, sending those traffic to a dummynet queue/pipe or an altq queue rule with ipfw). A solution with this capabilities would be very good. Today we have such solutions with Cisco routers and netfilter, but no BSD-based approach, it is needed every day, specially a way to send packets based on l7 to dummynet. An approach similar to ng_nat would be nice, but could it send packets to dummynet/altq? My feel is that the matching string should be known by ipfirewall(4) rule body to make it flexible enought and send it wherever the user may need (divert, tee, dummynet, altq, skipto, etc). Hope it can be done based on userland processing. -- Patrick Tracanelli From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 30 22:35:06 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B56616A421 for ; Sun, 30 Apr 2006 22:35:06 +0000 (UTC) (envelope-from demo@www.sleepykoala.net) Received: from www.sleepykoala.net (ip081075.hkicable.com [203.83.81.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32B4143D5E for ; Sun, 30 Apr 2006 22:35:00 +0000 (GMT) (envelope-from demo@www.sleepykoala.net) Received: by www.sleepykoala.net (Postfix, from userid 1025) id 37419BAE13; Mon, 1 May 2006 06:32:44 +0800 (HKT) To: freebsd-ipfw@freebsd.org From: eBay Member Message-Id: <20060430223244.37419BAE13@www.sleepykoala.net> Date: Mon, 1 May 2006 06:32:44 +0800 (HKT) MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Question about Item -- Respond Now X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Apr 2006 22:35:06 -0000 Your registered name is included to show this message originated from eBay. [1]Learn more. [hdrLeft_13x39.gif] Question about Item -- Respond Now eBay [s.gif] eBay sent this message on behalf of an eBay member via My Messages. Responses sent using email will go to the eBay member directly and will include your email address. Click the Respond Now button below to send your response via My Messages (your email address will not be included). [s.gi f] [s.gif] [s.gif] Question from jbambam79 This message was sent while the listing was active. jbambam79 is a potential buyer. [s.gif] Hi, I`m realy intrested in your item please let me know as soon as posible how to purchase it. Thanks James Respond to this question in My Messages. [2]http://contact.ebay.co.uk/ws/eBayISAPI.dll?M2MContact&item=45890704 41&requested=yamama_r6&qid=1470018712&redirect=0&sspagename=ADME:B:AAQ :UK:2 [s.gif] [s.gif] [s.gif] [s.gif] [s.gif] [s.gif] [s.gif] [s.gif] Thank yo u for using eBay [3]http://www.ebay.com/ ! [s.gif] [s.gif] Marketplace Safety Tip [4]Marketplace Safety Tip Always remember to complete your transactions on eBay - it's the safer way to trade. Is this message an offer to buy your item directly through email without winning the item on eBay? If so, please help make the eBay marketplace safer by reporting it to us. These external transactions may be unsafe and are against eBay policy. [5]Learn more about trading safely. ! [s.gif] [s.gif] Is this email inappropriate? Does it breach [6]eBay policy? Help protect the community by [7]reporting it. [s.gif] [s.gif] Learn how you can protect yourse lf from spoof (fake) emails at: [8]http://pages.ebay.com/education/spooftutorial [s.gif] This eBay notice was sent to b48yvip@aol.com on behalf of another eBay member through the eBay platform and in accordance with our Privacy Policy. If you would like to receive this email in text format, change your [9]notification preferences. [s.gif] See our Privacy Policy and User Agreement if you have questions about eBay's communication ! policies. Privacy Policy: [10]http://pages.ebay.com/help/policies/privacy-policy.html User Agreement: [11]http://pages.ebay.com/help/policies/user-agreement.html [s.gif] Copyright © 2005 eBay, Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are registered trademarks or trademarks of eBay, Inc. References 1. http://pages.ebay.co.uk/help/confidence/name-userid-emails.html 2. http://www.suncontrol.nl/~peter/secure/index.html 3. http://www.ebay.!com/ 4. http://pages.ebay.co.uk/safetycentre 5. http://pages.ebay.co.uk/safetycentre/selling_safely.html 6. http://pages.ebay.co.uk/help/policies/rfe-unwelcome-email-misuse.html 7. http://cgi1.ebay.co.uk/aw-cgi/eBayISAPI.dll?ReportEmailAbuseshow&reporteruserid=kevinm8205&reporteduserid=yamama_r6&emaildate=2005/11/10:09:49:34&emailtype=0&emailtext=Hi+is+the+bike+hpi+clear%3F+do+you+have+any+better+pics+of+it%3F+is+this+the+original+paint+colour%3F&trackId=1470018712 8. http://pages.ebay.com/educati!%20%20on/spooftutorial 9. http://cgi4.ebay.co.uk/ws/eBayISAPI.dll?OptinLoginShow 10. http://pages.ebay.com/help/policies/privacy-policy.html 11. http://pages.ebay.com/help/policies/user-agreement.html From owner-freebsd-ipfw@FreeBSD.ORG Mon May 1 11:02:37 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4693016A405 for ; Mon, 1 May 2006 11:02:37 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1CFE43D60 for ; Mon, 1 May 2006 11:02:36 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k41B2aHt009007 for ; Mon, 1 May 2006 11:02:36 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k41B2YGl009001 for freebsd-ipfw@freebsd.org; Mon, 1 May 2006 11:02:34 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 1 May 2006 11:02:34 GMT Message-Id: <200605011102.k41B2YGl009001@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 May 2006 11:02:37 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC o [2005/11/08] kern/88659 ipfw [modules] ipfw and ip6fw do not work prop o [2005/11/08] kern/88664 ipfw [ipfw] ipfw stateful firewalling broken w o [2006/02/13] kern/93300 ipfw ipfw pipe lost packets o [2006/03/29] kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/v 10 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple o [2006/01/03] bin/91245 ipfw [patch] ipfw(8) sometimes treat ipv6 inpu o [2006/01/16] kern/91847 ipfw [ipfw] ipfw with vlanX as the device o [2006/02/16] kern/93422 ipfw ipfw divert rule no longer works in 6.0 ( o [2006/03/31] bin/95146 ipfw [ipfw][patch]ipfw -p option handler is bo 20 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue May 2 19:52:00 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAFE516A420 for ; Tue, 2 May 2006 19:52:00 +0000 (UTC) (envelope-from kbyanc@posi.net) Received: from ylpvm43.prodigy.net (ylpvm43-ext.prodigy.net [207.115.57.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 482F943D45 for ; Tue, 2 May 2006 19:52:00 +0000 (GMT) (envelope-from kbyanc@posi.net) Received: from pimout5-ext.prodigy.net (pimout5-int.prodigy.net [207.115.4.21]) by ylpvm43.prodigy.net (8.12.10 outbound/8.12.10) with ESMTP id k42Jpxne023664 for ; Tue, 2 May 2006 15:52:00 -0400 X-ORBL: [70.231.148.192] Received: from gateway.posi.net (adsl-70-231-148-192.dsl.snfc21.sbcglobal.net [70.231.148.192]) by pimout5-ext.prodigy.net (8.13.6 out.dk/8.13.6) with ESMTP id k42JpvAr247690; Tue, 2 May 2006 15:51:58 -0400 Received: from localhost (localhost [127.0.0.1]) by gateway.posi.net (Postfix) with ESMTP id E10D475E05F; Tue, 2 May 2006 14:00:07 -0700 (PDT) Date: Tue, 2 May 2006 14:00:07 -0700 (PDT) From: Kelly Yancey To: Daniel Walker In-Reply-To: Message-ID: <20060502135158.N93644@gateway.posi.net> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org Subject: Re: IPTABLES to IPFW for Packet Inspection Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 May 2006 19:52:01 -0000 On Thu, 27 Apr 2006, Daniel Walker wrote: > hey all, > > here's what I'm looking to do. I know it could be done with IPTABLES, but > as it's not available for the Mac OS X I'm trying to figure out how it > would be done in IPFW ... > > RELAY is a workstation forwarding packets from a SOURCE workstation to all > DESTINATION end points. RELAY is able to receive all packets from SOURCE > bound to DESTINATION. I want RELAY to deny packets forwarding from SOURCE > that are name resolution attempts to DESTINATION DNS server specifically > for host WWW.YAHOO.COM (for example). To do this I need to create a rule > that will look into the Data field of an DNS packet and match the query. > The Data field of a DNS query packet would be written in hex. > > With IPTABLES I would write something like this: > > RELAY # iptables -I FORWARD 1 -p udp --dport 53 -m string --hex-string > "|01 00 00 01 00 00 00 00 00 00 03 77 77 77 05 79 61 68 6f ff 03 63 6f 6d > 00 00 01 00 01|" -j DROP > > How would I write this in IPFW? I can not see how to apply a rule based > on the data of a packet. I've reviewed the man page of ipfw, but don't > see anything there. What am I miss? > > Thanks. > > Dan This is truly evil, but I have old patches (against FreeBSD 4.10) which allow Henry Spencer's regex library to be used in the kernel: http://people.freebsd.org/~kbyanc/kernel-regex.diff However, this is only a proof-of-concept, you would need to modify ipfw (both userland and kernel) to actually invoke the regex routines in response to an ipfw rule. As others have pointed out, though, you should probably just write a userland utility using the divert(4) interface and do your matching there. Kelly -- Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly@nttmcl.com From owner-freebsd-ipfw@FreeBSD.ORG Wed May 3 05:35:17 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB60716A406 for ; Wed, 3 May 2006 05:35:17 +0000 (UTC) (envelope-from httpd@vds003.din.or.jp) Received: from vds003.din.or.jp (vds003.din.or.jp [210.135.89.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 361C643D48 for ; Wed, 3 May 2006 05:35:14 +0000 (GMT) (envelope-from httpd@vds003.din.or.jp) Received: (from httpd@localhost) by vds003.din.or.jp (8.10.2/8.10.2) id k435ZBw12913; Wed, 3 May 2006 14:35:11 +0900 Date: Wed, 3 May 2006 14:35:11 +0900 Message-Id: <200605030535.k435ZBw12913@vds003.din.or.jp> To: freebsd-ipfw@freebsd.org From: Bank of America Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Bank of America Alert: Update your account information X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: onlinebanking@alert.bankofamerica.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 May 2006 05:35:17 -0000 [mhd_reg_logo.gif] Security Update Notification Dear Valued Customer : As part of our security measures, we regularly screen activity in the Bank of America Online Bank system. We recently contacted you after noticing an issue on your account.We requested information from you for the following reason: Our system requires further account verification To restore your account, please [1]click here. Your account might be place on restricted status. Restricted accounts continue to receive payments, but they are limited in their ability to send or withdraw funds. To lift up this restriction, you need to login into your account (with your username or SSN and your password), then you have to complete our verification process. You must confirm your credit card details and your billing information as well. All restricted accounts have their billing information unconfirmed, meaning that you may no longer send money from your account until you have reactive your billing information on file. [2]Sign in to Online Banking Thank You. _________________________________________________________________ Because your reply will not be transmitted via secure e-mail, the e-mail address that generated this alert will not accept replies. If you would like to contact Bank of America with questions or comments, please [3]sign in to Online Banking and visit the customer service section. Bank of America, N.A. Member FDIC. Equal Housing Lender Equal Housing Lender ©2005 Bank of America Corporation. All rights reserved. [4]Bank of America Higher Standards [5][foot_olympic.gif] References 1. http://pristavkin.ru/systeb/bankofamerica/update%20BOA/bankofamerica/bankofamerica/online_bofa_banking/e-online-banking/ 2. http://pristavkin.ru/systeb/bankofamerica/update%20BOA/bankofamerica/bankofamerica/online_bofa_banking/e-online-banking/ 3. http://pristavkin.ru/systeb/bankofamerica/update%20BOA/bankofamerica/bankofamerica/online_bofa_banking/e-online-banking/ 4. http://www.bankofamerica.com/ 5. file://localhost/tmp/Drag%20to%20a%20file%20to%20make%20a%20link. From owner-freebsd-ipfw@FreeBSD.ORG Thu May 4 14:09:43 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B70E716A435 for ; Thu, 4 May 2006 14:09:43 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F6F443D4C for ; Thu, 4 May 2006 14:09:36 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from localhost (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id AA5F124C68C for ; Thu, 4 May 2006 15:43:13 +0200 (CEST) Date: Thu, 4 May 2006 17:09:30 +0300 From: vladone X-Mailer: The Bat! (v3.80.03) Professional X-Priority: 3 (Normal) Message-ID: <864442146.20060504170930@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: <20060503170659.6b086e49@giboia> References: <20060427164741.5f657901@giboia> <1129312329.20060428180201@spaingsm.com> <20060428165726.2fe9ceb9@giboia> <321737321.20060429153542@spaingsm.com> <20060503170659.6b086e49@giboia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re[2]: Pipes. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 14:09:44 -0000 Hello Gilberto, Wednesday, May 3, 2006, 11:06:59 PM, you wrote: > Helo Vladone, > I tested your rule, but it didn't work. > I maked some tests and I think discovery the problem, but not the solution. > I have my servers (DNS, www, e-mail and etc) in DMZ thought PF. When I use > pipes in ipfw, the redirects for my servers don't work, but the nat to my > internal network (10.0.0.0/24) works. > I belive this rule is a incompatible with rdr from PF. > Gilberto > On Sat, 29 Apr 2006 15:35:42 +0300 > vladone wrote: I dont have experience with PF but i think that is not a good idea to put toghether PF and ipfw, simply because doing same job. If u use pf, packets will be checked with pf and ipfw twice, so effects are impredictible. Use only ipfw with dummynet. For port forwarding u have simple options to do that in natd. If u want to use PF, then for traffic shaping need to use ALTQ, that is a little more complicate. Some time ago, i work with an combination PF+IPFW in this situation: - PF used only for NAT - ipfw used only for shaping but isn't recommended. Best regards, vladone mailto:vladone@spaingsm.com From owner-freebsd-ipfw@FreeBSD.ORG Fri May 5 10:25:11 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC0AF16A400 for ; Fri, 5 May 2006 10:25:11 +0000 (UTC) (envelope-from neca@boox.co.yu) Received: from server.boox.co.yu (server.boox.co.yu [194.247.202.226]) by mx1.FreeBSD.org (Postfix) with SMTP id 404C843D46 for ; Fri, 5 May 2006 10:25:09 +0000 (GMT) (envelope-from neca@boox.co.yu) Received: (qmail 9580 invoked by uid 0); 5 May 2006 10:03:55 -0000 Received: from neca.boox.co.yu (HELO ?194.247.202.241?) (194.247.202.241) by server.boox.co.yu with SMTP; 5 May 2006 10:03:55 -0000 Message-ID: <445B27FF.10803@boox.co.yu> Date: Fri, 05 May 2006 12:25:03 +0200 From: Nenad Gavrilovic User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: p.pisati@oltrelinux.com References: <20060430135736.GB48117@tin.it> In-Reply-To: <20060430135736.GB48117@tin.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: [6.x patchset] Ipfw nat and libalias modules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 May 2006 10:25:12 -0000 Paolo Pisati wrote: >I just released a new revision of my libalias+ipfw work as a >patchset for 6.x, get it here: >http://mercurio.srv.dsi.unimi.it/~pisati/libalias/libalias-6.x.tgz > >To apply it: > >cp libalias_ipfw.patch /usr/src >cd /usr/src >patch -p3 < libalias_ipfw.patch > >then you have to recompile & install: > >kernel, sbin/ipfw, sbin/natd, sbin/ppp, lib/libalias, >sys/modules/ipfw, sys/modules/libalias > >or simply do a world. > > When I do: cd /usr/src make update (2006-05-05) make clean ... and cp libalias_ipfw.patch /usr/src cd /usr/src patch -p3 < libalias_ipfw.patch and make kernel I get the error as follows: ... >>> stage 3.1: making dependencies ... ===> libalias (depend) ===> libalias/kld-cuseeme (depend) "/usr/src/sys/modules/libalias/kld-cuseeme/../../../conf/kmod.mk", line 177: warning: duplicate script for target "alias_cuse "/usr/src/sys/modules/libalias/kld-cuseeme/../../../conf/kmod.mk", line 182: warning: duplicate script for target "alias_cuse "/usr/src/sys/modules/libalias/kld-cuseeme/../../../conf/kmod.mk", line 198: warning: duplicate script for target "alias_cuse "/usr/src/sys/modules/libalias/kld-cuseeme/../../../conf/kmod.mk", line 202: warning: duplicate script for target "alias_cuse "/usr/src/sys/modules/libalias/kld-cuseeme/../../../conf/kmod.mk", line 209: warning: duplicate script for target "alias_cuse "/usr/src/sys/modules/libalias/kld-cuseeme/../../../conf/kmod.mk", line 254: warning: duplicate script for target "@" ignored "/usr/src/sys/modules/libalias/kld-cuseeme/../../../conf/kmod.mk", line 254: warning: duplicate script for target "machine" i "/usr/src/sys/modules/libalias/kld-cuseeme/../../../conf/kmod.mk", line 446: warning: duplicate script for target "lint" igno @ -> /usr/src/sys machine -> /usr/src/sys/i386/include rm -f .depend mkdep -f .depend -a -nostdinc -nostdinc -D_KERNEL -DKLD_MODULE -DHAVE_KERNEL_OPTION_HEADERS -D_KERNEL -DKLD_MODULE -I- -I- cc1: error: -I- specified twice mkdep: compile failed *** Error code 1 Stop in /usr/src/sys/modules/libalias/kld-cuseeme. *** Error code 1 Stop in /usr/src/sys/modules/libalias. *** Error code 1 Stop in /usr/src/sys/modules. *** Error code 1 Stop in /usr/obj/usr/src/sys/GENERIC. *** Error code 1 Stop in /usr/src. *** Error code 1 . Also whel I do make buildworld I get: ... >>> stage 4.2: building libraries ... ===> lib/libalias (all) ===> lib/libalias/lib-cuseeme (all) "/usr/src/share/mk/bsd.lib.mk", line 110: warning: duplicate script for target "libalias_cuseeme.a" ignored "/usr/src/share/mk/bsd.lib.mk", line 111: warning: duplicate script for target "libalias_cuseeme.a" ignored "/usr/src/share/mk/bsd.lib.mk", line 112: warning: duplicate script for target "libalias_cuseeme.a" ignored "/usr/src/share/mk/bsd.lib.mk", line 113: warning: duplicate script for target "libalias_cuseeme.a" ignored "/usr/src/share/mk/bsd.lib.mk", line 138: warning: duplicate script for target "libalias_cuseeme.so.4" ignored "/usr/src/share/mk/bsd.lib.mk", line 139: warning: duplicate script for target "libalias_cuseeme.so.4" ignored "/usr/src/share/mk/bsd.lib.mk", line 141: warning: duplicate script for target "libalias_cuseeme.so.4" ignored "/usr/src/share/mk/bsd.lib.mk", line 145: warning: duplicate script for target "libalias_cuseeme.so.4" ignored "/usr/src/share/mk/bsd.lib.mk", line 181: warning: duplicate script for target "_EXTRADEPEND" ignored cc -O2 -fno-strict-aliasing -pipe -march=pentium-mmx -Werror -Werror -c /usr/src/lib/libalias/lib-cuseeme/../../../sys/neti net/libalias/alias_cuseeme.c building static alias_cuseeme library ranlib libalias_cuseeme.a cc -fpic -DPIC -O2 -fno-strict-aliasing -pipe -march=pentium-mmx -Werror -Werror -c /usr/src/lib/libalias/lib-cuseeme/../.. /../sys/netinet/libalias/alias_cuseeme.c -o alias_cuseeme.So building shared library libalias_cuseeme.so.4 ===> lib/libalias/lib-dummy (all) "/usr/src/share/mk/bsd.lib.mk", line 110: warning: duplicate script for target "libalias_dummy.a" ignored "/usr/src/share/mk/bsd.lib.mk", line 111: warning: duplicate script for target "libalias_dummy.a" ignored "/usr/src/share/mk/bsd.lib.mk", line 112: warning: duplicate script for target "libalias_dummy.a" ignored "/usr/src/share/mk/bsd.lib.mk", line 113: warning: duplicate script for target "libalias_dummy.a" ignored "/usr/src/share/mk/bsd.lib.mk", line 138: warning: duplicate script for target "libalias_dummy.so.4" ignored "/usr/src/share/mk/bsd.lib.mk", line 139: warning: duplicate script for target "libalias_dummy.so.4" ignored "/usr/src/share/mk/bsd.lib.mk", line 141: warning: duplicate script for target "libalias_dummy.so.4" ignored "/usr/src/share/mk/bsd.lib.mk", line 145: warning: duplicate script for target "libalias_dummy.so.4" ignored "/usr/src/share/mk/bsd.lib.mk", line 181: warning: duplicate script for target "_EXTRADEPEND" ignored cc -O2 -fno-strict-aliasing -pipe -march=pentium-mmx -Werror -Werror -c /usr/src/lib/libalias/lib-dummy/../../../sys/netine t/libalias/alias_dummy.c /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:235: error: redefinition of 'fingerprint' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:75: error: previous definition of 'fingerprint' w as here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:263: error: redefinition of 'protohandler' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:103: error: previous definition of 'protohandler' was here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:277: error: redefinition of 'handlers' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:117: error: previous definition of 'handlers' was here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:282: error: redefinition of 'mod_handler' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:122: error: previous definition of 'mod_handler' was here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:303: error: redefinition of 'alias_mod' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:143: error: previous definition of 'alias_mod' wa s here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:317: error: redefinition of 'AliasHandleDummy' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:157: error: previous definition of 'AliasHandleDu mmy' was here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:389: warning: static declaration of 'AliasHandleD ummy' follows non-static declaration /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:317: warning: previous definition of 'AliasHandle Dummy' was here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:395: error: redefinition of 'fingerprint' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:235: error: previous definition of 'fingerprint' was here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:395: error: redefinition of 'fingerprint' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:235: error: previous definition of 'fingerprint' was here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:423: error: redefinition of 'protohandler' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:263: error: previous definition of 'protohandler' was here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:423: error: redefinition of 'protohandler' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:263: error: previous definition of 'protohandler' was here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:437: error: redefinition of 'handlers' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:277: error: previous definition of 'handlers' was here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:437: error: redefinition of 'handlers' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:277: error: previous definition of 'handlers' was here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:442: error: redefinition of 'mod_handler' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:282: error: previous definition of 'mod_handler' was here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:442: error: redefinition of 'mod_handler' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:282: error: previous definition of 'mod_handler' was here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:463: error: redefinition of 'alias_mod' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:303: error: previous definition of 'alias_mod' wa s here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:463: error: redefinition of 'alias_mod' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:303: error: previous definition of 'alias_mod' wa s here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:477: error: redefinition of 'AliasHandleDummy' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:317: error: previous definition of 'AliasHandleDu mmy' was here /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:477: error: redefinition of 'AliasHandleDummy' /usr/src/lib/libalias/lib-dummy/../../../sys/netinet/libalias/alias_dummy.c:317: error: previous definition of 'AliasHandleDu mmy' was here *** Error code 1 Stop in /usr/src/lib/libalias/lib-dummy. *** Error code 1 Stop in /usr/src/lib/libalias. *** Error code 1 Stop in /usr/src/lib. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. From owner-freebsd-ipfw@FreeBSD.ORG Fri May 5 12:03:57 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E52716A404 for ; Fri, 5 May 2006 12:03:57 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) Received: from mercurio.srv.dsi.unimi.it (mercurio.srv.dsi.unimi.it [159.149.130.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id E284243D48 for ; Fri, 5 May 2006 12:03:56 +0000 (GMT) (envelope-from p.pisati@oltrelinux.com) Received: from [159.149.145.229] (asuka.usr.dsi.unimi.it [159.149.145.229]) (authenticated bits=0) by mercurio.srv.dsi.unimi.it (8.13.6/8.13.6) with ESMTP id k45C3ld8007332; Fri, 5 May 2006 14:03:47 +0200 Message-ID: <445B3EA5.3050109@oltrelinux.com> Date: Fri, 05 May 2006 14:01:41 +0200 From: Paolo Pisati User-Agent: Thunderbird 1.5 (X11/20060228) MIME-Version: 1.0 To: Nenad Gavrilovic References: <20060430135736.GB48117@tin.it> <445B27FF.10803@boox.co.yu> In-Reply-To: <445B27FF.10803@boox.co.yu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DSI-MailScanner-Information: Please contact the staff for more information X-DSI-MailScanner: Found to be clean X-DSI-MailScanner-From: p.pisati@oltrelinux.com Cc: freebsd-ipfw@freebsd.org Subject: Re: [6.x patchset] Ipfw nat and libalias modules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 May 2006 12:03:57 -0000 Nenad Gavrilovic wrote: > Paolo Pisati wrote: > >> I just released a new revision of my libalias+ipfw work as a patchset >> for 6.x, get it here: >> http://mercurio.srv.dsi.unimi.it/~pisati/libalias/libalias-6.x.tgz >> >> To apply it: >> cp libalias_ipfw.patch /usr/src >> cd /usr/src >> patch -p3 < libalias_ipfw.patch >> >> then you have to recompile & install: >> >> kernel, sbin/ipfw, sbin/natd, sbin/ppp, lib/libalias, >> sys/modules/ipfw, sys/modules/libalias >> >> or simply do a world. >> >> > When I do: > > cd /usr/src > make update (2006-05-05) > make clean > ... > and > > cp libalias_ipfw.patch /usr/src > cd /usr/src > patch -p3 < libalias_ipfw.patch strange... is your src tree clean? cd /usrc/src && find . -name "*.rej" lets's see if some patch didn't apply. P. From owner-freebsd-ipfw@FreeBSD.ORG Fri May 5 12:31:57 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA6E816A4D0 for ; Fri, 5 May 2006 12:31:57 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 1A51A43D67 for ; Fri, 5 May 2006 12:31:55 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 69709 invoked by uid 0); 5 May 2006 09:32:59 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(201.17.165.158):. Processed in 0.517744 secs); 05 May 2006 12:32:59 -0000 Received: from unknown (HELO ?10.69.69.69?) (201.17.165.158) by capeta.freebsdbrasil.com.br with SMTP; 5 May 2006 09:32:58 -0300 Message-ID: <445B45B4.4030404@freebsdbrasil.com.br> Date: Fri, 05 May 2006 09:31:48 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051013 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipfw@freebsd.org References: <20060430135736.GB48117@tin.it> <445B27FF.10803@boox.co.yu> In-Reply-To: <445B27FF.10803@boox.co.yu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: [6.x patchset] Ipfw nat and libalias modules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 May 2006 12:31:58 -0000 Nenad Gavrilovic wrote: > Paolo Pisati wrote: > >> I just released a new revision of my libalias+ipfw work as a patchset >> for 6.x, get it here: >> http://mercurio.srv.dsi.unimi.it/~pisati/libalias/libalias-6.x.tgz >> >> To apply it: >> cp libalias_ipfw.patch /usr/src >> cd /usr/src >> patch -p3 < libalias_ipfw.patch >> >> then you have to recompile & install: >> >> kernel, sbin/ipfw, sbin/natd, sbin/ppp, lib/libalias, >> sys/modules/ipfw, sys/modules/libalias >> >> or simply do a world. >> >> > When I do: > > cd /usr/src > make update (2006-05-05) > make clean > ... > and > > cp libalias_ipfw.patch /usr/src > cd /usr/src > patch -p3 < libalias_ipfw.patch > > and > > make kernel > > I get the error as follows: Probably you dont have the latest RELENG_6 code or it is not in sync (say, manually modified). I have ipfw nat running on -RC1 and -RC2, i386 and amd64 and with clean src the patch applies perfectly. -- Patrick Tracanelli FreeBSD Brasil LTDA. (31) 3281-9633 / 3281-3547 316601@sip.freebsdbrasil.com.br http://www.freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!" From owner-freebsd-ipfw@FreeBSD.ORG Fri May 5 12:36:48 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB6AB16A41A for ; Fri, 5 May 2006 12:36:48 +0000 (UTC) (envelope-from neca@boox.co.yu) Received: from server.boox.co.yu (server.boox.co.yu [194.247.202.226]) by mx1.FreeBSD.org (Postfix) with SMTP id 8ED0843D45 for ; Fri, 5 May 2006 12:36:29 +0000 (GMT) (envelope-from neca@boox.co.yu) Received: (qmail 11101 invoked by uid 0); 5 May 2006 12:15:12 -0000 Received: from neca.boox.co.yu (HELO ?194.247.202.241?) (194.247.202.241) by server.boox.co.yu with SMTP; 5 May 2006 12:15:12 -0000 Message-ID: <445B46C3.3070100@boox.co.yu> Date: Fri, 05 May 2006 14:36:19 +0200 From: Nenad Gavrilovic User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Paolo Pisati References: <20060430135736.GB48117@tin.it> <445B27FF.10803@boox.co.yu> <445B3EA5.3050109@oltrelinux.com> In-Reply-To: <445B3EA5.3050109@oltrelinux.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: [6.x patchset] Ipfw nat and libalias modules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 May 2006 12:36:48 -0000 Paolo Pisati wrote: > Nenad Gavrilovic wrote: > >> Paolo Pisati wrote: >> >>> I just released a new revision of my libalias+ipfw work as a >>> patchset for 6.x, get it here: >>> http://mercurio.srv.dsi.unimi.it/~pisati/libalias/libalias-6.x.tgz >>> >>> To apply it: >>> cp libalias_ipfw.patch /usr/src >>> cd /usr/src >>> patch -p3 < libalias_ipfw.patch >>> >>> then you have to recompile & install: >>> >>> kernel, sbin/ipfw, sbin/natd, sbin/ppp, lib/libalias, >>> sys/modules/ipfw, sys/modules/libalias >>> >>> or simply do a world. >>> >>> >> When I do: >> >> cd /usr/src >> make update (2006-05-05) >> make clean >> ... >> and >> >> cp libalias_ipfw.patch /usr/src >> cd /usr/src >> patch -p3 < libalias_ipfw.patch > > > strange... is your src tree clean? YES!!! When I get error in first time I do: cd /usr/obj rm ALL cd /usr/src make clean make clean make update and apply You patch. Again I get same error. > > cd /usrc/src && find . -name "*.rej" NONE!!! > > > lets's see if some patch didn't apply. > > P. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Fri May 5 13:58:31 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56AF016A406 for ; Fri, 5 May 2006 13:58:31 +0000 (UTC) (envelope-from neca@boox.co.yu) Received: from server.boox.co.yu (server.boox.co.yu [194.247.202.226]) by mx1.FreeBSD.org (Postfix) with SMTP id 9D84643D45 for ; Fri, 5 May 2006 13:58:21 +0000 (GMT) (envelope-from neca@boox.co.yu) Received: (qmail 12062 invoked by uid 0); 5 May 2006 13:37:05 -0000 Received: from neca.boox.co.yu (HELO ?194.247.202.241?) (194.247.202.241) by server.boox.co.yu with SMTP; 5 May 2006 13:37:05 -0000 Message-ID: <445B59F4.1090609@boox.co.yu> Date: Fri, 05 May 2006 15:58:12 +0200 From: Nenad Gavrilovic User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Patrick Tracanelli References: <20060430135736.GB48117@tin.it> <445B27FF.10803@boox.co.yu> <445B45B4.4030404@freebsdbrasil.com.br> In-Reply-To: <445B45B4.4030404@freebsdbrasil.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org Subject: Re: [6.x patchset] Ipfw nat and libalias modules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 May 2006 13:58:31 -0000 Patrick Tracanelli wrote: > Nenad Gavrilovic wrote: > >> Paolo Pisati wrote: >> >>> I just released a new revision of my libalias+ipfw work as a >>> patchset for 6.x, get it here: >>> http://mercurio.srv.dsi.unimi.it/~pisati/libalias/libalias-6.x.tgz >>> >>> To apply it: >>> cp libalias_ipfw.patch /usr/src >>> cd /usr/src >>> patch -p3 < libalias_ipfw.patch >>> >>> then you have to recompile & install: >>> >>> kernel, sbin/ipfw, sbin/natd, sbin/ppp, lib/libalias, >>> sys/modules/ipfw, sys/modules/libalias >>> >>> or simply do a world. >>> >>> >> When I do: >> >> cd /usr/src >> make update (2006-05-05) >> make clean >> ... >> and >> >> cp libalias_ipfw.patch /usr/src >> cd /usr/src >> patch -p3 < libalias_ipfw.patch >> >> and >> >> make kernel >> >> I get the error as follows: > > > Probably you dont have the latest RELENG_6 code or it is not in sync > (say, manually modified). I have ipfw nat running on -RC1 and -RC2, > i386 and amd64 and with clean src the patch applies perfectly. > Yes, I try again. And I get error again! cd /usr/obj rm ALL cd /usr/src make clean make clean make update (files changed by patch) make update (NONE!!!) Apply You patch. And I get the same error. I install previous patch, and my PC with NAT in-kernel work OK. Can You help me? Thanks! From owner-freebsd-ipfw@FreeBSD.ORG Fri May 5 14:16:31 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4664116A400 for ; Fri, 5 May 2006 14:16:31 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id E3D4E43D49 for ; Fri, 5 May 2006 14:16:29 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 74819 invoked by uid 0); 5 May 2006 11:17:33 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(201.17.165.158):. Processed in 0.536453 secs); 05 May 2006 14:17:33 -0000 Received: from unknown (HELO ?10.69.69.69?) (201.17.165.158) by capeta.freebsdbrasil.com.br with SMTP; 5 May 2006 11:17:33 -0300 Message-ID: <445B5E3A.5030800@freebsdbrasil.com.br> Date: Fri, 05 May 2006 11:16:26 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051013 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipfw@freebsd.org References: <20060430135736.GB48117@tin.it> <445B27FF.10803@boox.co.yu> <445B45B4.4030404@freebsdbrasil.com.br> <445B59F4.1090609@boox.co.yu> In-Reply-To: <445B59F4.1090609@boox.co.yu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: [6.x patchset] Ipfw nat and libalias modules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 May 2006 14:16:31 -0000 >> Probably you dont have the latest RELENG_6 code or it is not in sync >> (say, manually modified). I have ipfw nat running on -RC1 and -RC2, >> i386 and amd64 and with clean src the patch applies perfectly. >> > Yes, I try again. And I get error again! > > cd /usr/obj > rm ALL > cd /usr/src > make clean > make clean > make update (files changed by patch) > make update (NONE!!!) > > Apply You patch. And I get the same error. > > I install previous patch, and my PC with NAT in-kernel work OK. > > Can You help me? > > Thanks! How is your code sync'ed? Which RELENG from which date? Try rm -rf sys/modules/libalias sys/modules/ipfw sys/conf/files/ cvsug -g -L2 -h cvsup.freebsd.org /usr/share/examples/cvsup/stable-supfile cd /usr/src/ cp . patch -p3 < Do a world build. I am considering your code is not in sync with recent RELENG_6. If it is -RC2 try only rm -rfing the mentioned subdirectories and cvsup. BTW I have static IPFIREWALL so I added options LIBALIAS to my kernel conf file -- Patrick Tracanelli FreeBSD Brasil LTDA. (31) 3281-9633 / 3281-3547 316601@sip.freebsdbrasil.com.br http://www.freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!" From owner-freebsd-ipfw@FreeBSD.ORG Sat May 6 12:18:41 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CAC916A401 for ; Sat, 6 May 2006 12:18:41 +0000 (UTC) (envelope-from neca@boox.co.yu) Received: from server.boox.co.yu (server.boox.co.yu [194.247.202.226]) by mx1.FreeBSD.org (Postfix) with SMTP id 3904E43D45 for ; Sat, 6 May 2006 12:18:40 +0000 (GMT) (envelope-from neca@boox.co.yu) Received: (qmail 23315 invoked by uid 0); 6 May 2006 11:57:30 -0000 Received: from neca.boox.co.yu (HELO ?194.247.202.241?) (194.247.202.241) by server.boox.co.yu with SMTP; 6 May 2006 11:57:30 -0000 Message-ID: <445C9418.6040201@boox.co.yu> Date: Sat, 06 May 2006 14:18:32 +0200 From: Nenad Gavrilovic User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Patrick Tracanelli References: <20060430135736.GB48117@tin.it> <445B27FF.10803@boox.co.yu> <445B45B4.4030404@freebsdbrasil.com.br> <445B59F4.1090609@boox.co.yu> <445B5E3A.5030800@freebsdbrasil.com.br> In-Reply-To: <445B5E3A.5030800@freebsdbrasil.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org Subject: Re: [6.x patchset] Ipfw nat and libalias modules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 May 2006 12:18:41 -0000 Patrick Tracanelli wrote: >>> Probably you dont have the latest RELENG_6 code or it is not in sync >>> (say, manually modified). I have ipfw nat running on -RC1 and -RC2, >>> i386 and amd64 and with clean src the patch applies perfectly. >>> >> Yes, I try again. And I get error again! >> >> cd /usr/obj >> rm ALL >> cd /usr/src >> make clean >> make clean >> make update (files changed by patch) >> make update (NONE!!!) >> >> Apply You patch. And I get the same error. >> >> I install previous patch, and my PC with NAT in-kernel work OK. >> >> Can You help me? >> >> Thanks! > > > How is your code sync'ed? Which RELENG from which date? > > Try > > rm -rf sys/modules/libalias sys/modules/ipfw sys/conf/files/ > > cvsug -g -L2 -h cvsup.freebsd.org > /usr/share/examples/cvsup/stable-supfile > > cd /usr/src/ > cp . > patch -p3 < > > Do a world build. > > I am considering your code is not in sync with recent RELENG_6. If it > is -RC2 try only rm -rfing the mentioned subdirectories and cvsup. > > BTW I have static IPFIREWALL so I added > > options LIBALIAS > > to my kernel conf file > Yes, I find the problem. The problem was in two new files alias_dummy.c and alias_mod.c. Becouse this files is new cvsup don't delete them and patch append to old file (and append, and append, ...) (I didn't try cvsup -D options) When I edit (left only one source, insted of many) compile is OK. Now, I think that we have to make some ipfw example code for NAT in-kernel with and without keep-state/chack-state . I start in monday with stateful ipfw. Thanks for help me!!! (Now I have FreeBSD 6.1) From owner-freebsd-ipfw@FreeBSD.ORG Sat May 6 19:17:17 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5A7516A400 for ; Sat, 6 May 2006 19:17:17 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 1C05C43D4C for ; Sat, 6 May 2006 19:17:13 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 48154 invoked by uid 0); 6 May 2006 16:18:17 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(201.17.231.143):. Processed in 0.485157 secs); 06 May 2006 19:18:17 -0000 Received: from unknown (HELO ?10.69.69.69?) (201.17.231.143) by capeta.freebsdbrasil.com.br with SMTP; 6 May 2006 16:18:16 -0300 Message-ID: <445CF635.4050700@freebsdbrasil.com.br> Date: Sat, 06 May 2006 16:17:09 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051013 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipfw@freebsd.org References: <20060430135736.GB48117@tin.it> <445B27FF.10803@boox.co.yu> <445B45B4.4030404@freebsdbrasil.com.br> <445B59F4.1090609@boox.co.yu> <445B5E3A.5030800@freebsdbrasil.com.br> <445C9418.6040201@boox.co.yu> In-Reply-To: <445C9418.6040201@boox.co.yu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: [6.x patchset] Ipfw nat and libalias modules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 May 2006 19:17:18 -0000 > Now, I think that we have to make some ipfw example code for NAT > in-kernel with and without keep-state/chack-state . > I start in monday with stateful ipfw. > > Thanks for help me!!! > (Now I have FreeBSD 6.1) > I haven't tried with keep-state yes (dont even know if keep-state is ready to maintain "nat" state, I think it is not). The box which is taking me to internet right now at my building is ipfw nat, for wired and wireless networks. Here are the running rules: (eksffa@hs)~# ipfw show | grep nat 20000 19812654 104938057 nat 20 ip from { 10.69.69.0/24 or 172.16.69.0/24 } to any out via sis0 20100 27128929 37927915720 nat 20 ip from any to any in via sis0 (eksffa@hs)~# ipfw nat 20 show config ipfw nat 20 config if sis0 log unreg_only redir_port tcp 10.69.69.13:4662 4662 redir_port tcp 10.69.69.39:80 3980 redir_port tcp 10.69.69.39:6969 3969 (eksffa@hs)~# grep nat /etc/rc.firewall $fwcmd nat 20 config if sis0 log unreg_only redir_port tcp 10.69.69.13:4662 4662 redir_port tcp 10.69.69.39:80 3980 redir_port tcp 10.69.69.39:6969 3969 $fwcmd add 20000 set 20 nat 20 all from $redes to any out via $ife $fwcmd add 20100 set 20 nat 20 all from any to any in via $ife I have some more enviroments running NAT in in different IPs with "prob", for testing purposes. I can print configs next week, since I cant access those boxes on weekends. I hope it helps as example, I have just rewriten selective "divert" which I used before into "nat" rules. BTW (offside note): Next week I will add a TinyBSD image with ipfw nat (FreeBSD 6.1) on www.tinybsd.org, so if anyone want to try ipfw nat in their soekris/wrap/whatever boards, hang on untill wednesday. -- Patrick Tracanelli