From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 1 08:47:41 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 235A2106567F for ; Mon, 1 Dec 2008 08:47:41 +0000 (UTC) (envelope-from bogdan_inedit@yahoo.com) Received: from web50303.mail.re2.yahoo.com (web50303.mail.re2.yahoo.com [206.190.38.57]) by mx1.freebsd.org (Postfix) with SMTP id C91528FC21 for ; Mon, 1 Dec 2008 08:47:40 +0000 (UTC) (envelope-from bogdan_inedit@yahoo.com) Received: (qmail 25293 invoked by uid 60001); 1 Dec 2008 08:47:40 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Message-ID; b=FFiG/+nU5g9RcLj7+1wNp1WcjWEBGyWWQJgRj0xQ9G7iEPs8ccheLM2oY5Nnv3ZaQiCiPJno6jAR64y+Cd0WzqRKsryPYrybT0Ob6F9DQoJauKxcfWfpnCDAdfA7muPHaF6FH4UN/mP6NmM5sCaNkeyqsyHhm0NSJMlw+dnn3KA=; X-YMail-OSG: jpBveDMVM1l1TNexpZEWOX8pqn6lUHPLL48hgOrKjnjEk5Bao7Vo1BuihTSjP95wz0240BXTd_nFeZ4hQrLschgp.A.nEI4Q9JfreiaU8OERr5MlsFVW8r2LeV2qwxDKFkanTKqwfTnWu0fLdRUgZ02AG9djXxxemB9eFlRX Received: from [93.113.175.11] by web50303.mail.re2.yahoo.com via HTTP; Mon, 01 Dec 2008 00:47:39 PST X-Mailer: YahooMailWebService/0.7.260.1 Date: Mon, 1 Dec 2008 00:47:39 -0800 (PST) From: bogdan oprea To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Message-ID: <44691.25194.qm@web50303.mail.re2.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw triple homed bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bogdan_inedit@yahoo.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2008 08:47:41 -0000 i have a freebsd 7 box with the following configuration: vr0---box---rl0 =A0=A0=A0=A0=A0=A0=A0=A0 | =A0=A0=A0=A0=A0=A0=A0 rl1 i bridged vr0 and rl0 using this commands in rc.conf: cloned_interfaces=3D"bridge0" ifconfig_bridge0=3D"inet x.x.x.x/24 addm vr0 addm rl0 up" ifconfig_vr0=3D"up" ifconfig_rl0=3D"up" rl1 has routing enabled with: gateway_enable=3D"YES" ifconfig_rl1=3D"inet y.y.y.y=A0 netmask 255.255.255.192" when creating rules such as: ipfw add 100 ip from any to any in via vr0 or ipfw add 100 ip from any to a= ny in via rl0 i see no traffic but when creating rules like ipfw add 100 ip from any to any in via bridge0= i see traffic i was wondering if i can add rules based on vr0 and rl0, not on bridge0, be= cause i wan't to limit some ports on vr0 and i want dhcpd server to serve o= nly on rl0 i also have in sysctl.conf: net.link.bridge.ipfw=3D1 net.link.bridge.ipfw_arp=3D1 =0A=0A=0A From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 1 11:06:57 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 952B21065673 for ; Mon, 1 Dec 2008 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 80E538FC08 for ; Mon, 1 Dec 2008 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mB1B6vbc052582 for ; Mon, 1 Dec 2008 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mB1B6uBE052578 for freebsd-ipfw@FreeBSD.org; Mon, 1 Dec 2008 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 1 Dec 2008 11:06:56 GMT Message-Id: <200812011106.mB1B6uBE052578@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2008 11:06:57 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 51 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 2 03:25:19 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 73EA91065672 for ; Tue, 2 Dec 2008 03:25:19 +0000 (UTC) (envelope-from brett@net24.co.nz) Received: from omr.mail.isx.net.nz (omr.mail.isx.net.nz [210.5.49.98]) by mx1.freebsd.org (Postfix) with ESMTP id 1DED78FC1E for ; Tue, 2 Dec 2008 03:25:18 +0000 (UTC) (envelope-from brett@net24.co.nz) Received: from 210.55.30.56 (EHLO _127.0.0.1_) ([210.55.30.56]) by omr.mail.isx.net.nz (MOS 3.8.3-GA FastPath queued) with ESMTP id AGQ32080 (AUTH brett@net24.co.nz); Tue, 02 Dec 2008 16:14:12 +1300 (NZDT) Message-ID: <4934A806.2060809@net24.co.nz> Date: Tue, 02 Dec 2008 16:14:14 +1300 From: Brett Davidson Organization: Net24 Limited User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20081201120023.9E1821065688@hub.freebsd.org> <20081201233222.L34249@sola.nimnet.asn.au> <493461B5.1040704@net24.co.nz> In-Reply-To: <493461B5.1040704@net24.co.nz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Is there anything weird I should know about using ipfw on alias addresses? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2008 03:25:19 -0000 Relevant ifconfig entry shows the alias addresses correctly bound. bce1: flags=8843 mtu 1500 options=3b inet 210.5.50.5 netmask 0xffffffe0 broadcast 210.5.50.31 inet 210.5.51.32 netmask 0xffffffff broadcast 210.5.51.32 inet 210.5.51.27 netmask 0xffffffff broadcast 210.5.51.27 inet 210.5.51.33 netmask 0xffffffff broadcast 210.5.51.33 inet 210.5.51.34 netmask 0xffffffff broadcast 210.5.51.34 inet 210.5.51.42 netmask 0xffffffff broadcast 210.5.51.42 inet 210.5.51.4 netmask 0xffffffff broadcast 210.5.51.4 ether 00:1c:c4:c0:56:94 media: Ethernet autoselect (1000baseSX ) status: active Relevant /etc/rc.conf entries : ifconfig_bce1="inet 210.5.50.5 netmask 255.255.255.224" ifconfig_bce1_alias0="inet 210.5.50.5 netmask 255.255.255.224" ifconfig_bce1_alias1="inet 210.5.51.4 netmask 255.255.255.255" ifconfig_bce1_alias2="inet 210.5.51.27 netmask 255.255.255.255" ifconfig_bce1_alias3="inet 210.5.51.32 netmask 255.255.255.255" ifconfig_bce1_alias4="inet 210.5.51.33 netmask 255.255.255.255" ifconfig_bce1_alias5="inet 210.5.51.34 netmask 255.255.255.255" ifconfig_bce1_alias6="inet 210.5.51.42 netmask 255.255.255.255" Creating an ipfw rule and testing it from the command line works (connects out from master address, not alias) ipfw -q add 02012 allow tcp from any to 208.69.123.164 80 out via bce1 setup keep-state >From website on alias address, the firewall blocks the packets. Interesting entries in /var/log/security : Dec 1 16:42:25 kernel: ipfw: 9999 Deny TCP 210.5.50.5:49708 208.69.123.164:80 out via bce1 In a normal world the packet would match!!!!! What's goin' on here Willis? >From what I can see, this MUST have something to do with the way ipfw is working with aliased addresses but I'm blowed if I know what is wrong. Cheers, Brett.