From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 21 01:08:19 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6202D106564A for ; Sun, 21 Dec 2008 01:08:19 +0000 (UTC) (envelope-from gloomygroup@hotmail.com) Received: from bay0-omc2-s13.bay0.hotmail.com (bay0-omc2-s13.bay0.hotmail.com [65.54.246.149]) by mx1.freebsd.org (Postfix) with ESMTP id 4A80D8FC12 for ; Sun, 21 Dec 2008 01:08:19 +0000 (UTC) (envelope-from gloomygroup@hotmail.com) Received: from BAY131-W40 ([65.55.136.75]) by bay0-omc2-s13.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Sat, 20 Dec 2008 16:56:19 -0800 Message-ID: X-Originating-IP: [202.79.40.134] From: Gloomy Group To: Date: Sun, 21 Dec 2008 00:56:19 +0000 Importance: Normal In-Reply-To: <20081219140743.M29108@sola.nimnet.asn.au> References: <20081218204044.H29108@sola.nimnet.asn.au> <20081219140743.M29108@sola.nimnet.asn.au> MIME-Version: 1.0 X-OriginalArrivalTime: 21 Dec 2008 00:56:19.0687 (UTC) FILETIME=[EF8F4F70:01C96306] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: ipfw@freebsd.org Subject: RE: IPFW firewall rule in mpd pppoe server to single pc behind router X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Dec 2008 01:08:19 -0000 Is there anything like setting ttl value to 1 like linux iptables do have. > Date: Fri=2C 19 Dec 2008 14:35:47 +1100 > From: smithi@nimnet.asn.au > To: gloomygroup@hotmail.com > CC: ipfw@freebsd.org > Subject: RE: IPFW firewall rule in mpd pppoe server to single pc behind r= outer >=20 > On Fri=2C 19 Dec 2008=2C Gloomy Group wrote: > > Hello Ian=2C > > =20 > > I have implemented traffic shaping with dummy net pipe. But i want=20 > > to strictly control the internet sharing to single pc. Is there other= =20 > > way of allowing like MAC address restricting to 2 pc coming from that= =20 > > source ip. > >=20 > > > Date: Thu=2C 18 Dec 2008 20:57:36 +1100 > > > From: smithi@nimnet.asn.au > > > To: gloomygroup@hotmail.com > > > CC: freebsd-ipfw@freebsd.org > > > Subject: Re: IPFW firewall rule in mpd pppoe server to single pc beh= ind router > > >=20 > > > On Thu=2C 18 Dec 2008=2C Gloomy Group wrote: > > > > I have freebsd mpd pppoe server. Users connect to internet by gi= ving=20 > > > > username and password. My problem is some users put router and sh= are=20 > > > > internet connection with other pc. Is it possbile to disable inte= rnet=20 > > > > sharing in server by rate limiting with ipfw firewall scripts. So= =20 > > > > that if users keep router or does nat in their pc to share intern= et=20 > > > > then only single pc can access to internet. Is is possible? > > >=20 > > > Detecting that a connection is shared using NAT? Not that I know of= . > > >=20 > > > Rate limiting per connection with dummynet pipes=2C easy enough. If= you=20 > > > limit the bandwidth=2C why would you need to care how many pcs share= it? >=20 > Not that I know of. >=20 > You're only going to see the MAC address of a directly connected system= =2C=20 > not those of any other box connected to the first one's other interface= =2C=20 > even if you are able to do ARP over PPPoE. >=20 > This is more people-policy stuff I think=2C unlikely to have a technical= =20 > solution. Some ISPs tell people they're not permitted to use NAT=2C but= =20 > I've not heard of any way of actually and reliably detecting its use. >=20 > One way to block use of the particular form of NAT implemented in M$ XP=20 > is to give users addresses in the 192.168.0.x range=2C with 192.168.0.1 a= s=20 > (your end's) gateway address .. since this latter address is forcibly=20 > assigned to the NAT box's inside interface by XP's 'internet connection=20 > sharing' .. but there are other NAT systems for windows users out there. >=20 > Others may know more than I do about this=2C of course .. if you wish to= =20 > pursue it further=2C net@freebsd.org would be the more appropriate list. >=20 > cheers=2C Ian _________________________________________________________________ It=92s the same Hotmail=AE. If by =93same=94 you mean up to 70% faster. http://windowslive.com/online/hotmail?ocid=3DTXT_TAGLM_WL_hotmail_acq_broad= 1_122008= From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 22 11:06:53 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8400910656AA for ; Mon, 22 Dec 2008 11:06:53 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 717898FC08 for ; Mon, 22 Dec 2008 11:06:53 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mBMB6rSG060605 for ; Mon, 22 Dec 2008 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mBMB6qLC060601 for freebsd-ipfw@FreeBSD.org; Mon, 22 Dec 2008 11:06:52 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 22 Dec 2008 11:06:52 GMT Message-Id: <200812221106.mBMB6qLC060601@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2008 11:06:53 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 51 problems total.