From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 16 00:08:13 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 16DF61065672 for ; Sun, 16 Nov 2008 00:08:13 +0000 (UTC) (envelope-from jguojun@gmail.com) Received: from smtp121.sbc.mail.sp1.yahoo.com (smtp121.sbc.mail.sp1.yahoo.com [69.147.64.94]) by mx1.freebsd.org (Postfix) with SMTP id EF3E38FC0A for ; Sun, 16 Nov 2008 00:08:12 +0000 (UTC) (envelope-from jguojun@gmail.com) Received: (qmail 45553 invoked from network); 16 Nov 2008 00:08:12 -0000 Received: from unknown (HELO ?192.168.2.14?) (jguojun@75.37.2.43 with plain) by smtp121.sbc.mail.sp1.yahoo.com with SMTP; 16 Nov 2008 00:08:12 -0000 X-YMail-OSG: wiknvWUVM1mpxQfeCnJSudaJxjsmC70dOl9J2rxuC89vTi7bRjWiXU8hYpEYLMGfsn5rsXNV1AAKfXUQRFqaKN57ekxyfJwDWZydqcyTIPAopGWUoeXiWzEKemCry7rTrco- X-Yahoo-Newman-Property: ymail-3 Message-ID: <491F6466.40309@gmail.com> Date: Sat, 15 Nov 2008 16:08:06 -0800 From: "Jin Guojun[VFF]" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.13) Gecko/20071201 X-Accept-Language: en, zh, zh-CN To: Erik Trulsson References: <491F413A.4020108@gmail.com> <20081115223556.GA45503@owl.midgard.homeip.net> <491F54A0.9090702@gmail.com> In-Reply-To: <491F54A0.9090702@gmail.com> Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: questions@freebsd.org, ipfw@freebsd.org Subject: Re: some ipfw filter does not function under Release 6.3 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2008 00:08:13 -0000 I think this is a bug in ipfw because after change the rule order, the problem persists: 00566 26 3090 deny ip from 221.192.199.36 to any 65330 2018 983473 allow tcp from any to any established 65535 0 0 deny ip from any to any 15:47:21.238720 IP 221.192.199.36.4469 > 192.168.2.14.80: S 3191960249:3191960249(0) win 65535 15:47:21.238768 IP 192.168.2.14.80 > 221.192.199.36.4469: S 2102254306:2102254306(0) ack 3191960250 win 65535 15:47:21.483754 IP 221.192.199.36.4469 > 192.168.2.14.80: . ack 1 win 65535 15:47:21.499489 IP 221.192.199.36.4469 > 192.168.2.14.80: P 1:206(205) ack 1 win 65535 15:47:24.238570 IP 192.168.2.14.80 > 221.192.199.36.4469: S 2102254306:2102254306(0) ack 3191960250 win 65535 15:47:24.482113 IP 221.192.199.36.4469 > 192.168.2.14.80: . ack 1 win 65535 15:47:24.498613 IP 221.192.199.36.4469 > 192.168.2.14.80: P 1:206(205) ack 1 win 65535 15:47:30.238574 IP 192.168.2.14.80 > 221.192.199.36.4469: S 2102254306:2102254306(0) ack 3191960250 win 65535 15:47:30.482746 IP 221.192.199.36.4469 > 192.168.2.14.80: . ack 1 win 65535 15:47:30.513193 IP 221.192.199.36.4469 > 192.168.2.14.80: P 1:206(205) ack 1 win 65535 15:47:42.238577 IP 192.168.2.14.80 > 221.192.199.36.4469: S 2102254306:2102254306(0) ack 3191960250 win 65535 15:47:42.435040 IP 221.192.199.36.4469 > 192.168.2.14.80: P 1:206(205) ack 1 win 65535 15:47:42.466055 IP 221.192.199.36.4469 > 192.168.2.14.80: . ack 1 win 65535 15:47:54.466599 IP 221.192.199.36.4469 > 192.168.2.14.80: P 1:206(205) ack 1 win 65535 15:47:59.703272 IP 221.192.199.36.4469 > 192.168.2.14.80: R 206:206(0) ack 1 win 0 Jin Guojun[VFF] wrote: But the rule 330 should only allow established TCP pass through. In other words, Sync should NOT allowed by rule 330, or I missed something for this rule? Erik Trulsson wrote: On Sat, Nov 15, 2008 at 01:38:02PM -0800, Jin Guojun[VFF] wrote: Below is set of ipfw rules, but it seems that not all rules are functioning properly. From rule 361 to first two of rule 567 are not blocking any traffic and not measuring any traffic. Is this bacuse tcp rule )330) can overwrite the ip rule? or this is a known issue in R-6.3? In general the first matching rule is the one that is applied. In your case this means that if a packet matches your rule 330 then it will be allowed through, and the rules further down the list will not be considered. The second and third rules in rule set 567 seem working well. -Jin ---------------- ipfw rule sets --------- 00330 3108378 2700826874 allow tcp from any to any established 00361 0 0 deny ip from 203.83.248.93 to any 00361 0 0 deny ip from 72.30.142.215 to any 00567 0 0 deny ip from 193.200.241.171 to any 00567 0 0 deny ip from 221.192.199.36 to any 00567 3 180 deny ip from 118.153.18.186 to any 00567 3 180 deny ip from 203.78.214.180 to any 00567 0 0 deny ip from 118.219.232.123 to any 65500 220 20043 allow udp from any to any 65535 2 120 deny ip from any to any ------ traffic captured by tcpdump behind ipfw machine ----- 04:12:20.940095 IP 221.192.199.36.12200 > 192.168.2.14.80: S 200229998:200229998(0) win 8192 04:12:21.204430 IP 221.192.199.36.12200 > 192.168.2.14.80: R 200229999:200229999(0) win 0 04:31:16.262402 IP 221.192.199.36.12200 > 192.168.2.14.80: S 200233658:200233658(0) win 8192 04:31:16.541868 IP 221.192.199.36.12200 > 192.168.2.14.80: R 200233659:200233659(0) win 0 05:27:04.031434 IP 221.192.199.36.12200 > 192.168.2.14.80: S 200244634:200244634(0) win 8192 05:27:04.303262 IP 221.192.199.36.12200 > 192.168.2.14.80: R 200244635:200244635(0) win 0 05:28:18.099443 IP 221.192.199.36.3362 > 192.168.2.14.80: S 2422872529:2422872529(0) win 65535 05:28:18.352083 IP 221.192.199.36.3362 > 192.168.2.14.80: . ack 3968474717 win 65535 05:28:18.367745 IP 221.192.199.36.3362 > 192.168.2.14.80: P 0:205(205) ack 1 win 65535 05:28:18.621538 IP 221.192.199.36.3362 > 192.168.2.14.80: R 205:205(0) ack 473 win 0 From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 16 08:02:46 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 797EA106568E; Sun, 16 Nov 2008 08:02:46 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4BF988FC1A; Sun, 16 Nov 2008 08:02:46 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAG82k67026633; Sun, 16 Nov 2008 08:02:46 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAG82kXE026629; Sun, 16 Nov 2008 08:02:46 GMT (envelope-from linimon) Date: Sun, 16 Nov 2008 08:02:46 GMT Message-Id: <200811160802.mAG82kXE026629@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/128902: [ipfw] ipfw allow tcp from any to any established allow Sync pass through X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2008 08:02:46 -0000 Old Synopsis: ipfw allow tcp from any to any established allow Sync pass through New Synopsis: [ipfw] ipfw allow tcp from any to any established allow Sync pass through Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Sun Nov 16 08:02:19 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=128902 From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 16 21:21:22 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D8C51065678 for ; Sun, 16 Nov 2008 21:21:22 +0000 (UTC) (envelope-from jguojun@gmail.com) Received: from smtp117.sbc.mail.sp1.yahoo.com (smtp117.sbc.mail.sp1.yahoo.com [69.147.64.90]) by mx1.freebsd.org (Postfix) with SMTP id 572758FC16 for ; Sun, 16 Nov 2008 21:21:22 +0000 (UTC) (envelope-from jguojun@gmail.com) Received: (qmail 8867 invoked from network); 16 Nov 2008 21:21:22 -0000 Received: from unknown (HELO ?192.168.2.14?) (jguojun@75.37.2.43 with plain) by smtp117.sbc.mail.sp1.yahoo.com with SMTP; 16 Nov 2008 21:21:21 -0000 X-YMail-OSG: QESFeQkVM1mr0EnDpQoxke59ut1H7VCXsikGqKa3qiTaSqZc5Gia29L53cApYNw4VrmyankZtN5iKkLVdTgehFky5QK01LLIhb_OGIW4gbdzXVWjHsU_iO_xFkSFik879UJEl1Gfx4rPoMlUldBF9owMzkdoICmQl6kNfOPU.sFqodda7lP4E8mmIZaT X-Yahoo-Newman-Property: ymail-3 Message-ID: <49208ECC.5020008@gmail.com> Date: Sun, 16 Nov 2008 13:21:16 -0800 From: "Jin Guojun[VFF]" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.13) Gecko/20071201 X-Accept-Language: en, zh, zh-CN MIME-Version: 1.0 To: Ian Smith References: <491F413A.4020108@gmail.com> <20081115223556.GA45503@owl.midgard.homeip.net> <491F54A0.9090702@gmail.com> <491F6466.40309@gmail.com> <20081116224655.J70117@sola.nimnet.asn.au> In-Reply-To: <20081116224655.J70117@sola.nimnet.asn.au> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org, questions@freebsd.org Subject: Re: some ipfw filter does not function under Release 6.3 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2008 21:21:22 -0000 Ian Smith wrote: >On Sat, 15 Nov 2008, Jin Guojun[VFF] wrote: > > > I think this is a bug in ipfw because after change the rule order, the > > problem persists: > > 00566 26 3090 deny ip from 221.192.199.36 to any > > 65330 2018 983473 allow tcp from any to any established > > 65535 0 0 deny ip from any to any > >Are you saying that the packets shown below from 221.192.199.36 arrived >=after= you added rule 566, which denys all traffic from that address? > >Are you showing us your entire ruleset; it is just those three rules? > >Is the tcpdump shown running on the same box as ipfw, or another box? > >If another box, how is it connected through the firewall, to the net? > >Which machine performs NAT for your network? None of this is obvious. > >Please show output of 'ifconfig' and 'netstat -rn' on the ipfw box? > > Let's clear this little bit. Above rule order actually worked after machine is rebooted. I do not know whay it was not working when changed rule 65330 from 00330. This may be another bug. But again, after rebooting the machine, this rule order works. This demonstrates that rule order 00330 did not block the Sync packet as it supposed to do. You also mentioned and confirmed it should do in this way below, ---------- working order --------- 00566 26 3090 deny ip from 221.192.199.36 to any 65330 2018 983473 allow tcp from any to any established 65535 0 0 deny ip from any to any ---------- Non working order --------- 00330 2018 983473 allow tcp from any to any established 00566 0 0 deny ip from 221.192.199.36 to any 65535 0 0 deny ip from any to any -------------------------------------------------- > > In general the first matching rule is the one that is applied. > > In your case this means that if a packet matches your rule 330 then > > it will be allowed through, and the rules further down the list will > > not be considered. > >Erik is right; you'll have to deny unwanted traffic before allowing the >established traffic. 'established' here really means 'not setup', ie >not SYN-only packets; ipfw doesn't track TCP sessions, the stack does. > > We see this (Sync only packet) passed through, so this is the problem. Because once Sync packet is passed through, the receiver will respond Sync/ACK, then attacker knows the machine is in service. >People can send bogus established packets, and though they won't have a >socket to connect to, they're still inbound traffic you have to receive >to even block, which can consume bandwidth and perhaps money. > > We saw this too, from 221.192.199.36, but I did not complain for this. Becasue we do not bother since receiving machine will not respond it. Attacker also sends bogus Reset packets, and the FreeBSD ignores it too. So, this is not the problem. >Sometimes these are a result of someone sending TCP setup packets to >some other host, with the source address forged as yours .. you get the >SYN+ACK packets, which do pass as established through ipfw. It's >possible that the host you see as attacking you may itself be victim .. > >Yes, did I read your PR .. no sign of that host here so far, so it might >just be scanning networks a bit closer to home: > >http://www.iptools.com/dnstools.php?tool=ipwhois&user_data=221.192.199.36&submit=Go > > It does not matter if this is a fake machine or victim machine, ipfw should always block it as instructed to do so. We cannot give it mercy and let it pass through becasue it is a victim. Otherwise, we will be the victim :-) That is why I filed PR for problem for rule order 00330-00566-65535. I did not say rule order 00566-65330-65535 is the problem in the PR. Hopefully, this makes clear. BTW, the ipfw machine is the gateway (between WAN-LAN). Rest machines are behind it on LAN. From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 17 01:19:02 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E21B1106567A for ; Mon, 17 Nov 2008 01:19:02 +0000 (UTC) (envelope-from jguojun@gmail.com) Received: from smtp120.sbc.mail.sp1.yahoo.com (smtp120.sbc.mail.sp1.yahoo.com [69.147.64.93]) by mx1.freebsd.org (Postfix) with SMTP id C97138FC14 for ; Mon, 17 Nov 2008 01:19:02 +0000 (UTC) (envelope-from jguojun@gmail.com) Received: (qmail 74143 invoked from network); 17 Nov 2008 01:19:02 -0000 Received: from unknown (HELO ?192.168.2.14?) (jguojun@75.37.2.43 with plain) by smtp120.sbc.mail.sp1.yahoo.com with SMTP; 17 Nov 2008 01:19:02 -0000 X-YMail-OSG: pYgi3AgVM1m3OI5SAbvCfHh3mGsWofiFyN1c2XcSPw7SHycQqyUrA7yQ5CthLjbHh06gMIb8iGaBYRbuRiGp0OXU8iDIpawGb37MjZWFACOzq0a1rSuPLQUehNZfTpRi1qq6KCLYHQ9z6_RaQ7gbN4TGbRDfqzfy3o.tFZnCYu25HPY3bnNjJvqfsjyepd_mpdOJ98Hq4Hi.wo6K44CsRg_I7mpSPt5wWRcegHJivlCDIkrNkUTmcg-- X-Yahoo-Newman-Property: ymail-3 Message-ID: <4920C685.1050004@gmail.com> Date: Sun, 16 Nov 2008 17:19:01 -0800 From: "Jin Guojun[VFF]" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.13) Gecko/20071201 X-Accept-Language: en, zh, zh-CN MIME-Version: 1.0 To: Ian Smith References: <491F413A.4020108@gmail.com> <20081115223556.GA45503@owl.midgard.homeip.net> <491F54A0.9090702@gmail.com> <491F6466.40309@gmail.com> <20081116224655.J70117@sola.nimnet.asn.au> In-Reply-To: <20081116224655.J70117@sola.nimnet.asn.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Erik Trulsson , freebsd-bugs@FreeBSD.org, ipfw@freebsd.org Subject: Re: some ipfw filter does not function under Release 6.3 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2008 01:19:03 -0000 Ian Smith wrote: >On Sat, 15 Nov 2008, Jin Guojun[VFF] wrote: > > > I think this is a bug in ipfw because after change the rule order, the > > problem persists: > > 00566 26 3090 deny ip from 221.192.199.36 to any > > 65330 2018 983473 allow tcp from any to any established > > 65535 0 0 deny ip from any to any > >Are you saying that the packets shown below from 221.192.199.36 arrived >=after= you added rule 566, which denys all traffic from that address? > >Are you showing us your entire ruleset; it is just those three rules? > >Is the tcpdump shown running on the same box as ipfw, or another box? > >If another box, how is it connected through the firewall, to the net? > >Which machine performs NAT for your network? None of this is obvious. > >Please show output of 'ifconfig' and 'netstat -rn' on the ipfw box? > > > I have found the problem due to the NIC naming change after motherboard upgrading. The em0 was LAN port, but now it is WAN port. So, the following rule caused Sync coming in: 00123 12 528 allow tcp from any to 192.168.0.0/16 via em0 setup This is my configuration fault, and we can close PR kern/128902. Thanks, -Jin From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 17 02:46:23 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B457B106564A; Mon, 17 Nov 2008 02:46:23 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8A7EC8FC12; Mon, 17 Nov 2008 02:46:23 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAH2kNpW070010; Mon, 17 Nov 2008 02:46:23 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAH2kNq4070006; Mon, 17 Nov 2008 02:46:23 GMT (envelope-from linimon) Date: Mon, 17 Nov 2008 02:46:23 GMT Message-Id: <200811170246.mAH2kNq4070006@freefall.freebsd.org> To: jguojun@gmail.com, linimon@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/128902: [ipfw] ipfw allow tcp from any to any established allow Sync pass through X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2008 02:46:23 -0000 Synopsis: [ipfw] ipfw allow tcp from any to any established allow Sync pass through State-Changed-From-To: open->closed State-Changed-By: linimon State-Changed-When: Mon Nov 17 02:46:08 UTC 2008 State-Changed-Why: Closed at submitter's request. http://www.freebsd.org/cgi/query-pr.cgi?pr=128902 From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 17 03:06:33 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1C101065670; Mon, 17 Nov 2008 03:06:33 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id 117248FC0C; Mon, 17 Nov 2008 03:06:32 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id mAH36UH4093110; Mon, 17 Nov 2008 14:06:30 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 17 Nov 2008 14:06:30 +1100 (EST) From: Ian Smith To: "Jin Guojun[VFF]" In-Reply-To: <4920C685.1050004@gmail.com> Message-ID: <20081117134532.S70117@sola.nimnet.asn.au> References: <491F413A.4020108@gmail.com> <20081115223556.GA45503@owl.midgard.homeip.net> <491F54A0.9090702@gmail.com> <491F6466.40309@gmail.com> <20081116224655.J70117@sola.nimnet.asn.au> <4920C685.1050004@gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Erik Trulsson , ipfw@freebsd.org, questions@freebsd.org Subject: Re: some ipfw filter does not function under Release 6.3 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2008 03:06:33 -0000 On Sun, 16 Nov 2008, Jin Guojun[VFF] wrote: > Ian Smith wrote: > > > On Sat, 15 Nov 2008, Jin Guojun[VFF] wrote: > > > > > I think this is a bug in ipfw because after change the rule order, the > > > problem persists: > > > 00566 26 3090 deny ip from 221.192.199.36 to any > > > 65330 2018 983473 allow tcp from any to any established > > > 65535 0 0 deny ip from any to any > > > > Are you saying that the packets shown below from 221.192.199.36 arrived > > =after= you added rule 566, which denys all traffic from that address? > > > > Are you showing us your entire ruleset; it is just those three rules? > > > > Is the tcpdump shown running on the same box as ipfw, or another box? > > If another box, how is it connected through the firewall, to the net? > > > > Which machine performs NAT for your network? None of this is obvious. > > > > Please show output of 'ifconfig' and 'netstat -rn' on the ipfw box? > I have found the problem due to the NIC naming change after motherboard > upgrading. > The em0 was LAN port, but now it is WAN port. So, the following rule caused > Sync coming in: > > 00123 12 528 allow tcp from any to 192.168.0.0/16 via em0 setup Ahah! > This is my configuration fault, and we can close PR kern/128902. > > Thanks, > -Jin Glad you found it so soon, Jin; that was one very short-lived PR :) cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 17 04:36:33 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC1F21065675 for ; Mon, 17 Nov 2008 04:36:33 +0000 (UTC) (envelope-from jguojun@gmail.com) Received: from smtp124.sbc.mail.sp1.yahoo.com (smtp124.sbc.mail.sp1.yahoo.com [69.147.64.97]) by mx1.freebsd.org (Postfix) with SMTP id CF37D8FC18 for ; Mon, 17 Nov 2008 04:36:33 +0000 (UTC) (envelope-from jguojun@gmail.com) Received: (qmail 25288 invoked from network); 17 Nov 2008 04:36:33 -0000 Received: from unknown (HELO ?192.168.2.17?) (jguojun@75.37.2.43 with plain) by smtp124.sbc.mail.sp1.yahoo.com with SMTP; 17 Nov 2008 04:36:33 -0000 X-YMail-OSG: SXl5X3wVM1m.D.w1Lt3qmRBDLXWonOWetT2rLJ4792wIvqylf22Dq.9kZDSnoYAnRX1_aGiuxZqgW6XoXPdGXWqnwZpE.QMNcQsqF01fhKjHvEIYtOISDIyN7b2rEBjhtVjuffpTlwZ8JzXg5d81FrBvD4xAMLL5X9bOoaQTQlV5wyiFawR2Ss9UK2H1KskrHwE.riLbnlo8sjt2QnkzSKjjTKCaDDI.tCDY2eMNNO9zCqz8XSXklg-- X-Yahoo-Newman-Property: ymail-3 Message-ID: <4920F4CC.2020501@gmail.com> Date: Sun, 16 Nov 2008 20:36:28 -0800 From: "Jin Guojun[VFF]" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.13) Gecko/20071201 X-Accept-Language: en, zh, zh-CN MIME-Version: 1.0 To: Ian Smith References: <491F413A.4020108@gmail.com> <20081115223556.GA45503@owl.midgard.homeip.net> <491F54A0.9090702@gmail.com> <491F6466.40309@gmail.com> <20081116224655.J70117@sola.nimnet.asn.au> <4920C685.1050004@gmail.com> <20081117134532.S70117@sola.nimnet.asn.au> In-Reply-To: <20081117134532.S70117@sola.nimnet.asn.au> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Erik Trulsson , ipfw@freebsd.org, questions@freebsd.org Subject: Re: some ipfw filter does not function under Release 6.3 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2008 04:36:34 -0000 Ian Smith wrote: >On Sun, 16 Nov 2008, Jin Guojun[VFF] wrote: > > Ian Smith wrote: > > > > > On Sat, 15 Nov 2008, Jin Guojun[VFF] wrote: > > > > > > > I think this is a bug in ipfw because after change the rule order, the > > > > problem persists: > > > > 00566 26 3090 deny ip from 221.192.199.36 to any > > > > 65330 2018 983473 allow tcp from any to any established > > > > 65535 0 0 deny ip from any to any > > > >.... snapped > > > I have found the problem due to the NIC naming change after motherboard > > upgrading. > > The em0 was LAN port, but now it is WAN port. So, the following rule caused > > Sync coming in: > > > > 00123 12 528 allow tcp from any to 192.168.0.0/16 via em0 setup > >Ahah! > > > This is my configuration fault, and we can close PR kern/128902. > > > > Thanks, > > -Jin > >Glad you found it so soon, Jin; that was one very short-lived PR :) > > This is kind hard one to catch since this machine was tested and working before. Traced many machines with R-6.1 and R-6.2 around country and found no problem. The recent change to this machine is a AMD to a P4 motherboard swapping for better memory bandwidth, but overlooked the NIC names changed. Now we had historical information for what could cause such failure. -Jin From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 17 11:06:52 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34ACF1065673 for ; Mon, 17 Nov 2008 11:06:52 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 23BE08FC12 for ; Mon, 17 Nov 2008 11:06:52 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAHB6qeH082557 for ; Mon, 17 Nov 2008 11:06:52 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAHB6pmi082553 for freebsd-ipfw@FreeBSD.org; Mon, 17 Nov 2008 11:06:51 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 17 Nov 2008 11:06:51 GMT Message-Id: <200811171106.mAHB6pmi082553@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2008 11:06:52 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 48 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 21 04:24:58 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E2FC7106564A for ; Fri, 21 Nov 2008 04:24:58 +0000 (UTC) (envelope-from security@jim-liesl.org) Received: from smtp2.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145]) by mx1.freebsd.org (Postfix) with SMTP id C2C668FC18 for ; Fri, 21 Nov 2008 04:24:58 +0000 (UTC) (envelope-from security@jim-liesl.org) Received: (qmail 25602 invoked from network); 20 Nov 2008 19:58:02 -0800 Received: by simscan 1.1.0 ppid: 25599, pid: 25600, t: 0.0795s scanners: regex: 1.1.0 attach: 1.1.0 Received: from unknown (HELO smtp.jim-liesl.org) (66.60.173.44) by smtp2 with SMTP; 20 Nov 2008 19:58:02 -0800 Received: from smtp.jim-liesl.org (localhost.static.surewest.net [127.0.0.1]) by smtp.jim-liesl.org (Postfix) with ESMTP id 465AE5DBB; Thu, 20 Nov 2008 19:58:17 -0800 (PST) Received: from [IPv6:::1] (daemon.static.surewest.net [192.168.1.15]) by smtp.jim-liesl.org (Postfix) with ESMTP id BDD0B5DB8; Thu, 20 Nov 2008 19:58:16 -0800 (PST) Message-ID: <492631D7.30909@jim-liesl.org> Date: Thu, 20 Nov 2008 19:58:15 -0800 From: security User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: freebsd-net@FreeBSD.org, freebsd-ipfw@FreeBSD.ORG X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: Subject: ipfw/dummynet question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 04:24:59 -0000 context is 7.1-beta2 I'm using a FreeBSD box as a router and IPFW/dummynet to simulate 3 WAN connections. The three networks are actually on the same lan, but have aliased ip's on the router's NIC (router on a stick). I've set up bi-directional pipes for each "net" that enforce various impairments. What I'm trying to do is have all traffic to or from "net-a" simulate a 30Mbit link, "net-b" a 20Mbit, and "net-c" a 10Mbit one. Traffic coming from elsewhere would not be touched until it was outbound for one of the 3 nets, and like wise, traffic coming from the 3 nets and going elsewhere would only be touched coming in. Traffic who's src and dst don't match at all would fall through. An example would be traffic from "net-a" going to "net-c" gets passed into the router like it's on a 30Mbit link, but heads out (after routing) like it's on a 10 Mbit link Question: Am I on the right path or have I made some stupid assumption(s)? I realize I have a few extra rules that could be optimized out, but this is probably good for the sake of readability. Another question, is each ip flow treated like it has it's own dedicated bw, or do all flows that match a pipe share the b/w ? thx jim (assume one_pass is set) ${fwcmd} add 10 skipto 100 ip from any to any in ${fwcmd} add 20 skipto 500 ip from any to any out ${fwcmd} add 100 pipe 1 ip from net-a to any ${fwcmd} add 200 pipe 2 ip from net-b to any ${fwcmd} add 300 pipe 3 ip from net-c to any ${fwcmd} add 400 skipto 65535 ip from any to any ${fwcmd} pipe 1 config bw 30Mbit/s ${fwcmd} pipe 2 config bw 20Mbit/s ${fwcmd} pipe 3 config bw 10Mbit/s ${fwcmd} add 500 pipe 4 ip from any to net-a ${fwcmd} add 600 pipe 5 ip from any to net-b ${fwcmd} add 700 pipe 6 ip from any to net-c ${fwcmd} pipe 4 config bw 30Mbit/s ${fwcmd} pipe 5 config bw 20Mbit/s ${fwcmd} pipe 6 config bw 10Mbit/s ${fwcmd} add 1000 skipto 65535 ip from any to any From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 21 07:42:01 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 17382106564A; Fri, 21 Nov 2008 07:42:01 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E097E8FC0A; Fri, 21 Nov 2008 07:42:00 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAL7g00i006068; Fri, 21 Nov 2008 07:42:00 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAL7g0GC006064; Fri, 21 Nov 2008 07:42:00 GMT (envelope-from linimon) Date: Fri, 21 Nov 2008 07:42:00 GMT Message-Id: <200811210742.mAL7g0GC006064@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/129036: [ipfw] 'ipfw fwd' does not change outgoing interface name X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 07:42:01 -0000 Synopsis: [ipfw] 'ipfw fwd' does not change outgoing interface name Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Fri Nov 21 07:41:39 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=129036 From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 21 14:53:38 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69A50106564A for ; Fri, 21 Nov 2008 14:53:38 +0000 (UTC) (envelope-from dcharan@atcorp.com) Received: from moby.atcorp.com (moby.atcorp.com [204.72.172.2]) by mx1.freebsd.org (Postfix) with ESMTP id 46F388FC1C for ; Fri, 21 Nov 2008 14:53:38 +0000 (UTC) (envelope-from dcharan@atcorp.com) Received: from conger.atcorp.com ([204.72.172.102] helo=[192.168.203.104]) by moby.atcorp.com with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1L3Wvw-00051B-2M for freebsd-ipfw@freebsd.org; Fri, 21 Nov 2008 08:24:32 -0600 Message-ID: <4926C4A0.1090006@atcorp.com> Date: Fri, 21 Nov 2008 08:24:32 -0600 From: Deborah Charan User-Agent: Thunderbird 2.0.0.17 (X11/20080925) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfw fwd with a bridge freebsd box X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dcharan@atcorp.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 14:53:38 -0000 I have seen many posts from Kelly and Luigi about a patch to make fwd packets work on bridged freebsd boxes. But, nothing since 2003/2004 and 4.x. Is there any patch for 5.3? Thanks. From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 21 16:51:30 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 289851065673 for ; Fri, 21 Nov 2008 16:51:30 +0000 (UTC) (envelope-from rik@inse.ru) Received: from mail.inse.ru (mail.inse.ru [144.206.128.1]) by mx1.freebsd.org (Postfix) with ESMTP id DD8E28FC1C for ; Fri, 21 Nov 2008 16:51:29 +0000 (UTC) (envelope-from rik@inse.ru) Received: from [127.0.0.1] (www.inse.ru [144.206.128.1]) by mail.inse.ru (Postfix) with ESMTPSA id D252333C51; Fri, 21 Nov 2008 19:51:28 +0300 (MSK) Message-ID: <4926E708.5050709@inse.ru> Date: Fri, 21 Nov 2008 19:51:20 +0300 From: Roman Kurakin User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: dcharan@atcorp.com References: <4926C4A0.1090006@atcorp.com> In-Reply-To: <4926C4A0.1090006@atcorp.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw fwd with a bridge freebsd box X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 16:51:30 -0000 Deborah Charan: > I have seen many posts from Kelly and Luigi about a patch to make fwd > packets work on bridged freebsd boxes. But, nothing since 2003/2004 > and 4.x. Is there any patch for 5.3? I can't answer your question, but why do you need patch for such old version, 6.x and 7.x a stable enough and much better, except you are using some really old hardware. rik > > Thanks. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"