From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 11:07:05 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE65E1065672 for ; Mon, 18 Jul 2011 11:07:05 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 93FCC8FC1B for ; Mon, 18 Jul 2011 11:07:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p6IB75UQ026814 for ; Mon, 18 Jul 2011 11:07:05 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p6IB749Z026812 for freebsd-ipfw@FreeBSD.org; Mon, 18 Jul 2011 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 18 Jul 2011 11:07:04 GMT Message-Id: <201107181107.p6IB749Z026812@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 11:07:05 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets p kern/157957 ipfw [libalias][patch] alias_ftp does not alias data sessio p kern/157867 ipfw [patch][ipfw] natd globalport support for ipfw nat o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. f kern/144269 ipfw [ipfw] problem with ipfw tables o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result f kern/143474 ipfw [ipfw] ipfw table contains the same address o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o p kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke f kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v f kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 47 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 18:14:06 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0D258106566B for ; Mon, 18 Jul 2011 18:14:05 +0000 (UTC) (envelope-from david@pcnetwork.co.za) Received: from webserv.cybersmart.co.za (ns05.pcnetwork.co.za [196.41.124.223]) by mx1.freebsd.org (Postfix) with ESMTP id D851B8FC08 for ; Mon, 18 Jul 2011 18:14:04 +0000 (UTC) Received: from [41.177.245.140] (port=16783 helo=pcnetwork.pcnetwork.local) by webserv.cybersmart.co.za with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QirpH-000JFd-4W for freebsd-ipfw@freebsd.org; Mon, 18 Jul 2011 19:41:51 +0200 Received: from pcnetwork.pcnetwork.local ([fe80::586f:4435:ed17:d4f9]) by pcnetwork.pcnetwork.local ([fe80::586f:4435:ed17:d4f9%13]) with mapi; Mon, 18 Jul 2011 19:41:37 +0200 From: David van Rensburg - PC Network To: "freebsd-ipfw@freebsd.org" Thread-Topic: ipfw and nat problem Thread-Index: AcxFcRpJzW2jcAkkSCSm/igXARS5zA== Date: Mon, 18 Jul 2011 17:41:36 +0000 Message-ID: Accept-Language: en-ZA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: MIME-Version: 1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - webserv.cybersmart.co.za X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [26 6] / [26 6] X-AntiAbuse: Sender Address Domain - pcnetwork.co.za Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw and nat problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 18:14:06 -0000 Hi Ive been having a problem with ipfw and nat. I can get nat to work but I wa= nt the following: My lan must only have access to outgoing port 80 I want to be able to allow some lan users access to ftp and outgoing 3389 (= remote desktop), but by default only port 80 I have transparent proxy work in ipfw. I want to be able to limit outgoing and incoming to the freebsd server acco= rding to port. I want a default deny. ANY help or point me in the right direction would be great. I have been goo= gling for a week now and cant find anything similar. Most examples don't us= e a default deny and don't allow certain services to the lan users. oif=3D"rl0" freebsd box with 2 network cards 192.168.1.3 - lan side (all lan clients 192.168.1.x) 192.168.0.2 - router side of card (machine default gateways to 192.168.0.1 = which is the router) Rc.conf: gateway_enable=3D"YES" natd_enable=3D"YES" natd_interface=3D"rl0" natd_flags=3D"-s -u -m" firewall_enable=3D"YES" firewall_logging_enable=3D"YES" firewall_quiet=3D"NO" #firewall_type=3D"simple blah" firewall_script=3D"/etc/firewall.local" natd_flags=3D"-f /etc/natd.conf" Im using the following rules which isn't working properly eg the actual fre= ebsd can ftp out for some reason. 00100 0 0 divert 8668 ip from not me to any via rl0 00150 0 0 fwd 192.168.1.3,3128 tcp from not me to any dst-port 80 00250 24 1440 allow ip from any to any via lo0 00350 0 0 deny ip from any to 127.0.0.0/8 00450 0 0 deny ip from 127.0.0.0/8 to any 00550 0 0 deny tcp from any to any frag 00650 0 0 check-state 00750 241 27480 allow tcp from any to any established 00850 24 5676 allow ip from any to any out keep-state 00950 0 0 allow tcp from any to any dst-port 22 in 01050 0 0 allow tcp from any to any dst-port 22 out 01150 0 0 allow udp from any to any dst-port 53 in 01250 0 0 allow tcp from any to any dst-port 53 in 01350 0 0 allow udp from any to any dst-port 53 out 01450 0 0 allow tcp from any to any dst-port 53 out 01550 0 0 allow tcp from 192.168.1.99 to any dst-port 3389 01650 462 53744 deny ip from any to any 65535 122 12588 allow ip from any to any David van Rensburg PC Network Tel: 0215107600 Fax: 0215104165 www.pcnetwork.co.za This electronic communication and the attached file(s) are subject to terms= and conditions which can be accessed on the following link: http://www.pcnetwork.co.za/terms as well as the acceptable usage policy whi= ch can be accessed on: http://www.pcnetwork.co.za/aup If you are unable to view the above, please contact support@pcnetwork.co.za= for a copy. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 18:54:54 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C05B71065673 for ; Mon, 18 Jul 2011 18:54:54 +0000 (UTC) (envelope-from david@pcnetwork.co.za) Received: from webserv.cybersmart.co.za (ns05.pcnetwork.co.za [196.41.124.223]) by mx1.freebsd.org (Postfix) with ESMTP id C341F8FC0C for ; Mon, 18 Jul 2011 18:54:53 +0000 (UTC) Received: from [41.177.245.140] (port=13693 helo=pcnetwork.pcnetwork.local) by webserv.cybersmart.co.za with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1Qisxs-000EG4-M4 for freebsd-ipfw@freebsd.org; Mon, 18 Jul 2011 20:54:49 +0200 Received: from pcnetwork.pcnetwork.local ([fe80::586f:4435:ed17:d4f9]) by pcnetwork.pcnetwork.local ([fe80::586f:4435:ed17:d4f9%13]) with mapi; Mon, 18 Jul 2011 20:54:28 +0200 From: David van Rensburg - PC Network To: "freebsd-ipfw@freebsd.org" Thread-Topic: ipfw and nat problem Thread-Index: AcxFcRpJzW2jcAkkSCSm/igXARS5zP//7j6AgAAniYCAAABIAA== Date: Mon, 18 Jul 2011 18:54:34 +0000 Message-ID: In-Reply-To: Accept-Language: en-ZA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.12.0.110505 Content-Type: text/plain; charset="euc-kr" Content-ID: <72499b1e-040b-441a-9c73-a662788e571e> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - webserv.cybersmart.co.za X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [26 6] / [26 6] X-AntiAbuse: Sender Address Domain - pcnetwork.co.za Subject: FW: ipfw and nat problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 18:54:54 -0000 DQo+SGkNCj4NCj5ZZXMgc29ycnkgLSBJIHN1cHBvc2UgSSB3YXMgYXNzdW1pbmcgdGhhdCBnb2Vz IHdpdGhvdXQgc2F5aW5nLg0KPldpbGwgb3BlbiA0NDMgZm9yIGh0dHBzIGFuZCBjbG9zZSA4MCBh bmQgZG8gYSB0cmFuc3BhcmVudCBzcXVpZCBwcm94eQ0KPndoaWNoIEkgZ290IHRvIHdrci4NCj4N Cj5JIGp1c3QgY2FudCBzZWVtIHRvIHVuZGVyc3RhbmQgaW4gYW5kIG91dC4NCj5Eb2VzIGluIG1l YW4gSU5UTyB0aGUgQk9YIG9yIGludG8gdGhlIHNwZWNpZmljIGludGVyZmFjZSB3aGF0IGhhcHBl bnMgaWYNCj55b3UgZG9uqfZ0IHNwZWNpZnkgYW4gaW50ZXJmYWNlIHdoZW4gdSBzYXkgaW4gb3Ig b3V0Pw0KPk9SIGRvZXMgaW4gbWVhbiBpbnRvIHRoZSBpbnRlcm5hbCBuZXR3b3JrIGZyb20gb3V0 c2lkZSBvciBqdXN0IGludG8gdGhlDQo+Ym94Pw0KPg0KPlBsZWFzZSBqdXN0IGVsYWJvcmF0ZSBv biB0aGF0IGZvciBtZSA/DQo+DQo+RGF2aWQuDQo+DQo+T24gMjAxMS8wNy8xOCA4OjMyIFBNLCAi Q2h1Y2sgU3dpZ2VyIiA8Y3N3aWdlckBtYWMuY29tPiB3cm90ZToNCj4NCj4+T24gSnVsIDE4LCAy MDExLCBhdCAxMDo0MSBBTSwgRGF2aWQgdmFuIFJlbnNidXJnIC0gUEMgTmV0d29yayB3cm90ZToN Cj4+PiBJdmUgYmVlbiBoYXZpbmcgYSBwcm9ibGVtIHdpdGggaXBmdyBhbmQgbmF0LiBJIGNhbiBn ZXQgbmF0IHRvIHdvcmsgYnV0DQo+Pj5JIHdhbnQgdGhlIGZvbGxvd2luZzoNCj4+PiBNeSBsYW4g bXVzdCBvbmx5IGhhdmUgYWNjZXNzIHRvIG91dGdvaW5nIHBvcnQgODANCj4+DQo+PkZvciB3ZWIg YWNjZXNzIHRvIGJlIHVzZWZ1bCBmb3IgbW9zdCBjYXNlcywgeW91IGFsc28gbmVlZCB0byBwZXJt aXQgNDQzDQo+PmZvciBIVFRQUy4NCj4+DQo+Pj4gSSB3YW50IHRvIGJlIGFibGUgdG8gYWxsb3cg c29tZSBsYW4gdXNlcnMgYWNjZXNzIHRvIGZ0cCBhbmQgb3V0Z29pbmcNCj4+PjMzODkgKHJlbW90 ZSBkZXNrdG9wKSwgYnV0IGJ5IGRlZmF1bHQgb25seSBwb3J0IDgwDQo+Pj4gSSBoYXZlIHRyYW5z cGFyZW50IHByb3h5IHdvcmsgaW4gaXBmdy4NCj4+PiBJIHdhbnQgdG8gYmUgYWJsZSB0byBsaW1p dCBvdXRnb2luZyBhbmQgaW5jb21pbmcgdG8gdGhlIGZyZWVic2Qgc2VydmVyDQo+Pj5hY2NvcmRp bmcgdG8gcG9ydC4NCj4+PiBJIHdhbnQgYSBkZWZhdWx0IGRlbnkuDQo+Pg0KPj5Zb3UgaGF2ZW4n dCBtZW50aW9uZWQgYW55dGhpbmcgYWJvdXQgRE5TLCBOVFAsIFNNVFAgJiBQT1AzL0lNQVAuICBG b3Igd2ViDQo+PmFjY2VzcyBvciByZW1vdGUgZGVza3RvcCB0byBmdW5jdGlvbiwgeW91J2xsIG5l ZWQgdG8gcGVybWl0IEROUyB0cmFmZmljDQo+PnNvIHRoZXkgY2FuIGZpbmQgdGhlIG1hY2hpbmVz IHRoZXkgYXJlIGNvbm5lY3RpbmcgdG8uICBBbmQgbW9zdCBuZXR3b3Jrcw0KPj53YW50IHRvIGhh dmUgbmV0d29yayB0aW1lIGFuZCBlbWFpbCB3b3JraW5nLg0KPj4NCj4+PiBBTlkgaGVscCBvciBw b2ludCBtZSBpbiB0aGUgcmlnaHQgZGlyZWN0aW9uIHdvdWxkIGJlIGdyZWF0LiBJIGhhdmUgYmVl bg0KPj4+Z29vZ2xpbmcgZm9yIGEgd2VlayBub3cgYW5kIGNhbnQgZmluZCBhbnl0aGluZyBzaW1p bGFyLiBNb3N0IGV4YW1wbGVzDQo+Pj5kb24ndCB1c2UgYSBkZWZhdWx0IGRlbnkgYW5kIGRvbid0 IGFsbG93IGNlcnRhaW4gc2VydmljZXMgdG8gdGhlIGxhbg0KPj4+dXNlcnMuDQo+Pg0KPj5TdGFy dCB3aXRoOg0KPj4NCj4+ICBodHRwOi8vd3d3LmZyZWVic2Qub3JnL2RvYy9oYW5kYm9vay9maXJl d2FsbHMtaXBmdy5odG1sDQo+Pg0KPj4uLi5hbmQgdGhlIGJvb2tzIHJlY29tbWVuZGVkIGluIC9l dGMvcmMuZmlyZXdhbGw6DQo+Pg0KPj4jIElmIHlvdSBkb24ndCBrbm93IGVub3VnaCBhYm91dCBw YWNrZXQgZmlsdGVyaW5nLCB3ZSBzdWdnZXN0IHRoYXQgeW91DQo+PiMgdGFrZSB0aW1lIHRvIHJl YWQgdGhpcyBib29rOg0KPj4jDQo+PiMJQnVpbGRpbmcgSW50ZXJuZXQgRmlyZXdhbGxzLCAybmQg RWRpdGlvbg0KPj4jCUJyZW50IENoYXBtYW4gYW5kIEVsaXphYmV0aCBad2lja3kNCj4+Iw0KPj4j CU8nUmVpbGx5ICYgQXNzb2NpYXRlcywgSW5jDQo+PiMJSVNCTiAxLTU2NTkyLTg3MS03DQo+PiMJ aHR0cDovL3d3dy5vcmEuY29tLw0KPj4jCWh0dHA6Ly93d3cub3JlaWxseS5jb20vY2F0YWxvZy9m aXJlMi8NCj4+Iw0KPj4jIEZvciBhIG1vcmUgYWR2YW5jZWQgdHJlYXRtZW50IG9mIEludGVybmV0 IFNlY3VyaXR5IHJlYWQ6DQo+PiMNCj4+IwlGaXJld2FsbHMgYW5kIEludGVybmV0IFNlY3VyaXR5 OiBSZXBlbGxpbmcgdGhlIFdpbHkgSGFja2VyLCAybmQgRWRpdGlvbg0KPj4jCVdpbGxpYW0gUi4g Q2hlc3dpY2ssIFN0ZXZlbiBNLiBCZWxsb3dpbiwgQXZpZWwgRC4gUnViaW4NCj4+Iw0KPj4jCUFk ZGlzb24tV2VzbGV5IC8gUHJlbnRpY2UgSGFsbA0KPj4jCUlTQk4gMC0yMDEtNjM0NjYtWA0KPj4j CWh0dHA6Ly93d3cucGVhcnNvbmhpZ2hlcmVkLmNvbS8NCj4+IwlodHRwOi8vd3d3LnBlYXJzb25o aWdoZXJlZC5jb20vZWR1Y2F0b3IvYWNhZGVtaWMvcHJvZHVjdC8wLDMxMTAsMDIwMTYzNA0KPj42 DQo+PjZYLDAwLmh0bWwNCj4+DQo+PlJlZ2FyZHMsDQo+Pi0tIA0KPj4tQ2h1Y2sNCj4+DQo+Pg0K Pg0KDQo= From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 19:05:33 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F107106564A for ; Mon, 18 Jul 2011 19:05:33 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout018.mac.com (asmtpout018.mac.com [17.148.16.93]) by mx1.freebsd.org (Postfix) with ESMTP id EA4AE8FC0C for ; Mon, 18 Jul 2011 19:05:32 +0000 (UTC) MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Received: from cswiger1.apple.com ([17.209.4.71]) by asmtp018.mac.com (Oracle Communications Messaging Exchange Server 7u4-20.01 64bit (built Nov 21 2010)) with ESMTPSA id <0LOJ00MB0MD8LF70@asmtp018.mac.com> for freebsd-ipfw@freebsd.org; Mon, 18 Jul 2011 12:05:32 -0700 (PDT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.4.6813,1.0.211,0.0.0000 definitions=2011-07-18_06:2011-07-18, 2011-07-18, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=6.0.2-1012030000 definitions=main-1107180155 From: Chuck Swiger In-reply-to: Date: Mon, 18 Jul 2011 12:05:32 -0700 Content-transfer-encoding: quoted-printable Message-id: <02D2E336-48EE-498E-87AA-8A307EC2EF74@mac.com> References: To: David van Rensburg - PC Network X-Mailer: Apple Mail (2.1084) Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw and nat problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 19:05:33 -0000 On Jul 18, 2011, at 11:53 AM, David van Rensburg - PC Network wrote: > Yes sorry - I suppose I was assuming that goes without saying. Well, you can't design working firewall rulesets with unstated = requirements. > Will open 443 for https and close 80 and do a transparent squid proxy > which I got to wkr. You need to permit *both* 80 and 443, either directly or via the Squid = proxy. > I just cant seem to understand in and out. > Does in mean INTO the BOX or into the specific interface what happens = if > you don=B9t specify an interface when u say in or out? > OR does in mean into the internal network from outside or just into = the > box? >=20 > Please just elaborate on that for me ? In refers to incoming traffic to the box running IPFW (and also NAT'ed = traffic which gets re-written by natd to your internal clients); out = refers to traffic generated from the box (and/or from NAT traffic from = internal machines via natd). If that doesn't make sense, consider using = "recv", "xmit", and "via ifX" instead: recv | xmit | via {ifX | if* | ipno | any} Matches packets received, transmitted or going through, = respec- tively, the interface specified by exact name (ifX), by = device name (if*), by IP address, or through some interface. The via keyword causes the interface to always be checked. = If recv or xmit is used instead of via, then only the receive = or transmit interface (respectively) is checked. By = specifying both, it is possible to match packets based on both receive = and transmit interface, e.g.: ipfw add deny ip from any to any out recv ed0 xmit = ed1 The recv interface can be tested on either incoming or = outgoing packets, while the xmit interface can only be tested on = outgoing packets. So out is required (and in is invalid) whenever = xmit is used. A packet may not have a receive or transmit interface: = packets originating from the local host have no receive interface, = while packets destined for the local host have no transmit = interface. Regards, --=20 -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 19:26:47 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D50D8106564A for ; Mon, 18 Jul 2011 19:26:47 +0000 (UTC) (envelope-from gregoire.leroy@hyperthese.net) Received: from slow3-v.mail.gandi.net (slow3-v.mail.gandi.net [217.70.178.89]) by mx1.freebsd.org (Postfix) with ESMTP id 714B08FC29 for ; Mon, 18 Jul 2011 19:26:47 +0000 (UTC) X-WhiteListed: mail was accepted with no delay X-WhiteListed: mail was accepted with no delay Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by slow3-v.mail.gandi.net (Postfix) with ESMTP id 0C828863B7 for ; Mon, 18 Jul 2011 21:10:11 +0200 (CEST) X-Originating-IP: 217.70.178.137 Received: from mfilter8-d.gandi.net (mfilter8-d.gandi.net [217.70.178.137]) by relay3-d.mail.gandi.net (Postfix) with ESMTP id 1B836A807C for ; Mon, 18 Jul 2011 21:10:00 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter8-d.gandi.net Received: from relay3-d.mail.gandi.net ([217.70.183.195]) by mfilter8-d.gandi.net (mfilter8-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id cio4ij5NEwXi for ; Mon, 18 Jul 2011 21:09:58 +0200 (CEST) X-Originating-IP: 90.47.25.8 Received: from rena.localnet (ALille-258-1-34-8.w90-47.abo.wanadoo.fr [90.47.25.8]) (Authenticated sender: lupuscramus@hyperthese.net) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 0A61DA8081 for ; Mon, 18 Jul 2011 21:09:57 +0200 (CEST) From: =?iso-8859-1?q?Gr=E9goire_Leroy?= To: freebsd-ipfw@freebsd.org Date: Mon, 18 Jul 2011 21:09:53 +0200 User-Agent: KMail/1.13.7 (Linux/2.6.39-2-amd64; KDE/4.6.4; x86_64; ; ) References: In-Reply-To: X-KMail-Markup: true MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2548024.6gXXzlguxe"; protocol="application/pgp-signature"; micalg=pgp-sha256 Content-Transfer-Encoding: 7bit Message-Id: <201107182109.57593.gregoire.leroy@hyperthese.net> X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: FW: ipfw and nat problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 19:26:47 -0000 --nextPart2548024.6gXXzlguxe Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, > >I just cant seem to understand in and out. > >Does in mean INTO the BOX or into the specific interface what happens if > >you don=B9t specify an interface when u say in or out? > >OR does in mean into the internal network from outside or just into the > >box? in and out are filters, like from and to. If you don't specify the interfac= e,=20 it'll match all packets which go into the box (or go out, for out). If you specify an interface, it'll be more precise. Example : # In and out packets which go through outgoing interface from any to any via oif # idem, but in packets only from any to any in via oif # out packets through all interfaces from any to any out Regards, Gr=E9goire Leroy --nextPart2548024.6gXXzlguxe Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iF4EABEIAAYFAk4khQEACgkQB3Y8MwGKx1dbFAD9F2UsSGuWSqyDAMaDXCZF5pOG Sv8p0hqDD29EwZ1rug8BAIqdshUcCJMHZsq/vYsPV06AEJGsdhk4KCtkBB2+YyeR =f5gw -----END PGP SIGNATURE----- --nextPart2548024.6gXXzlguxe-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 19:32:47 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BF4DA106564A for ; Mon, 18 Jul 2011 19:32:47 +0000 (UTC) (envelope-from david@pcnetwork.co.za) Received: from webserv.cybersmart.co.za (ns05.pcnetwork.co.za [196.41.124.223]) by mx1.freebsd.org (Postfix) with ESMTP id 545868FC08 for ; Mon, 18 Jul 2011 19:32:47 +0000 (UTC) Received: from [41.177.245.140] (port=59563 helo=pcnetwork.pcnetwork.local) by webserv.cybersmart.co.za with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QitYY-000058-S4; Mon, 18 Jul 2011 21:32:43 +0200 Received: from pcnetwork.pcnetwork.local ([fe80::586f:4435:ed17:d4f9]) by pcnetwork.pcnetwork.local ([fe80::586f:4435:ed17:d4f9%13]) with mapi; Mon, 18 Jul 2011 21:32:28 +0200 From: David van Rensburg - PC Network To: Chuck Swiger Thread-Topic: ipfw and nat problem Thread-Index: AcxFcRpJzW2jcAkkSCSm/igXARS5zP//7j6AgAAniYD//+HSAIAAJOKA///ffYCAACS9AA== Date: Mon, 18 Jul 2011 19:32:40 +0000 Message-ID: In-Reply-To: <502A18D1-745D-48E9-B395-BDB5A24BD2FA@mac.com> Accept-Language: en-ZA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.12.0.110505 Content-Type: text/plain; charset="us-ascii" Content-ID: <7cccae5d-bedd-4499-ac4f-6206965321ef> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - webserv.cybersmart.co.za X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [26 6] / [26 6] X-AntiAbuse: Sender Address Domain - pcnetwork.co.za Cc: "freebsd-ipfw@freebsd.org" Subject: Re: ipfw and nat problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 19:32:48 -0000 > >Ok so why cant I resolve names here.. Ive added rule 20 and 21 Ive deleted rule 60 then I cant telnet mailserver 25 so the set seems to be working... [root@bsd ~]# ipfw show 00005 589 53220 allow ip from any to any via alc0 00010 0 0 allow ip from any to any via lo0 00011 0 0 fwd 192.168.1.3,3128 tcp from not me to any dst-port 80 00014 0 0 divert 8668 ip from any to any in via rl0 00015 0 0 check-state 00020 0 0 skipto 800 udp from any to any dst-port 53 out via rl0 setup keep-state 00021 0 0 skipto 800 tcp from any to any dst-port 53 out via rl0 setup keep-state 00040 0 0 skipto 800 tcp from any to any dst-port 80 out via rl0 setup keep-state 00050 0 0 skipto 800 tcp from any to any dst-port 443 out via rl0 setup keep-state 00060 0 0 skipto 800 tcp from any to any dst-port 25 out via rl0 setup keep-state 00061 0 0 skipto 800 tcp from any to any dst-port 110 out via rl0 setup keep-state 00080 0 0 skipto 800 icmp from any to any out via rl0 keep-state 00110 0 0 skipto 800 tcp from any to any dst-port 22 out via rl0 setup keep-state 00120 0 0 skipto 800 tcp from any to any dst-port 43 out via rl0 setup keep-state 00130 0 0 skipto 800 udp from any to any dst-port 123 out via rl0 keep-state 00300 0 0 deny ip from 192.168.0.0/16 to any in via rl0 00301 0 0 deny ip from 172.16.0.0/12 to any in via rl0 00302 0 0 deny ip from 10.0.0.0/8 to any in via rl0 00303 0 0 deny ip from 127.0.0.0/8 to any in via rl0 00304 0 0 deny ip from 0.0.0.0/8 to any in via rl0 00305 0 0 deny ip from 169.254.0.0/16 to any in via rl0 00306 0 0 deny ip from 192.0.2.0/24 to any in via rl0 00307 0 0 deny ip from 204.152.64.0/23 to any in via rl0 00308 0 0 deny ip from 224.0.0.0/3 to any in via rl0 00315 0 0 deny tcp from any to any dst-port 113 in via rl0 00320 0 0 deny tcp from any to any dst-port 137 in via rl0 00321 0 0 deny tcp from any to any dst-port 138 in via rl0 00322 0 0 deny tcp from any to any dst-port 139 in via rl0 00323 0 0 deny tcp from any to any dst-port 81 in via rl0 00330 0 0 deny ip from any to any frag in via rl0 00332 0 0 deny tcp from any to any established in via rl0 00370 0 0 allow tcp from any to me dst-port 80 in via rl0 setup limit src-addr 2 00380 0 0 allow tcp from any to me dst-port 22 in via rl0 setup limit src-addr 2 00385 0 0 allow tcp from any to any dst-port 22 00390 0 0 allow tcp from any to me dst-port 23 in via rl0 setup limit src-addr 2 00400 0 0 deny log logamount 5 ip from any to any in via rl0 00450 4 240 deny log logamount 5 ip from any to any out via rl0 00800 0 0 divert 8668 ip from any to any out via rl0 00801 0 0 allow ip from any to any 00999 0 0 deny log logamount 5 ip from any to any 65535 0 0 allow ip from any to any [root@bsd ~]#=20 [root@bsd ~]#=20 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 19:32:50 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2268F106566B for ; Mon, 18 Jul 2011 19:32:50 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout018.mac.com (asmtpout018.mac.com [17.148.16.93]) by mx1.freebsd.org (Postfix) with ESMTP id 098828FC0A for ; Mon, 18 Jul 2011 19:32:49 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from cswiger1.apple.com ([17.209.4.71]) by asmtp018.mac.com (Oracle Communications Messaging Exchange Server 7u4-20.01 64bit (built Nov 21 2010)) with ESMTPSA id <0LOJ00LN2KTF9580@asmtp018.mac.com> for freebsd-ipfw@freebsd.org; Mon, 18 Jul 2011 11:32:04 -0700 (PDT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.4.6813,1.0.211,0.0.0000 definitions=2011-07-18_06:2011-07-18, 2011-07-18, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=6.0.2-1012030000 definitions=main-1107180149 From: Chuck Swiger In-reply-to: Date: Mon, 18 Jul 2011 11:32:03 -0700 Message-id: <28D3D376-49A7-4ABD-A2DA-2BC74CCFED7D@mac.com> References: To: David van Rensburg - PC Network X-Mailer: Apple Mail (2.1084) Cc: "freebsd-ipfw@freebsd.org" Subject: Re: ipfw and nat problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 19:32:50 -0000 On Jul 18, 2011, at 10:41 AM, David van Rensburg - PC Network wrote: > Ive been having a problem with ipfw and nat. I can get nat to work but I want the following: > My lan must only have access to outgoing port 80 For web access to be useful for most cases, you also need to permit 443 for HTTPS. > I want to be able to allow some lan users access to ftp and outgoing 3389 (remote desktop), but by default only port 80 > I have transparent proxy work in ipfw. > I want to be able to limit outgoing and incoming to the freebsd server according to port. > I want a default deny. You haven't mentioned anything about DNS, NTP, SMTP & POP3/IMAP. For web access or remote desktop to function, you'll need to permit DNS traffic so they can find the machines they are connecting to. And most networks want to have network time and email working. > ANY help or point me in the right direction would be great. I have been googling for a week now and cant find anything similar. Most examples don't use a default deny and don't allow certain services to the lan users. Start with: http://www.freebsd.org/doc/handbook/firewalls-ipfw.html ...and the books recommended in /etc/rc.firewall: # If you don't know enough about packet filtering, we suggest that you # take time to read this book: # # Building Internet Firewalls, 2nd Edition # Brent Chapman and Elizabeth Zwicky # # O'Reilly & Associates, Inc # ISBN 1-56592-871-7 # http://www.ora.com/ # http://www.oreilly.com/catalog/fire2/ # # For a more advanced treatment of Internet Security read: # # Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition # William R. Cheswick, Steven M. Bellowin, Aviel D. Rubin # # Addison-Wesley / Prentice Hall # ISBN 0-201-63466-X # http://www.pearsonhighered.com/ # http://www.pearsonhighered.com/educator/academic/product/0,3110,020163466X,00.html Regards, -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 18 19:21:12 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25AD6106564A for ; Mon, 18 Jul 2011 19:21:12 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout024.mac.com (asmtpout024.mac.com [17.148.16.99]) by mx1.freebsd.org (Postfix) with ESMTP id 0D9B38FC1C for ; Mon, 18 Jul 2011 19:21:11 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from cswiger1.apple.com ([17.209.4.71]) by asmtp024.mac.com (Oracle Communications Messaging Exchange Server 7u4-18.01 64bit (built Jul 15 2010)) with ESMTPSA id <0LOJ00BJ2N3BD020@asmtp024.mac.com> for freebsd-ipfw@freebsd.org; Mon, 18 Jul 2011 12:21:11 -0700 (PDT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.4.6813,1.0.211,0.0.0000 definitions=2011-07-18_06:2011-07-18, 2011-07-18, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=6.0.2-1012030000 definitions=main-1107180159 From: Chuck Swiger In-reply-to: Date: Mon, 18 Jul 2011 12:21:11 -0700 Message-id: <502A18D1-745D-48E9-B395-BDB5A24BD2FA@mac.com> References: To: David van Rensburg - PC Network X-Mailer: Apple Mail (2.1084) X-Mailman-Approved-At: Mon, 18 Jul 2011 19:36:25 +0000 Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw and nat problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 19:21:12 -0000 On Jul 18, 2011, at 12:17 PM, David van Rensburg - PC Network wrote: > In can mean traffic going from the lan to the internet AND from the > internet to the lan because either way it goes into the box as if flows > through the box correct? Yes, I think so. Most people seem to prefer to use "recv via _external_interface_" rather than "in" to identify traffic from the Internet at large incoming towards their machine or local subnet. Regards, -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 19 09:56:39 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C6B981065677 for ; Tue, 19 Jul 2011 09:56:39 +0000 (UTC) (envelope-from david@pcnetwork.co.za) Received: from webserv.cybersmart.co.za (ns05.pcnetwork.co.za [196.41.124.223]) by mx1.freebsd.org (Postfix) with ESMTP id 2E9A88FC16 for ; Tue, 19 Jul 2011 09:56:36 +0000 (UTC) Received: from [41.177.245.140] (port=11431 helo=pcnetwork.pcnetwork.local) by webserv.cybersmart.co.za with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1Qj72V-000Ik0-6Q for freebsd-ipfw@freebsd.org; Tue, 19 Jul 2011 11:56:32 +0200 Received: from pcnetwork.pcnetwork.local ([fe80::586f:4435:ed17:d4f9]) by pcnetwork.pcnetwork.local ([fe80::586f:4435:ed17:d4f9%13]) with mapi; Tue, 19 Jul 2011 11:56:17 +0200 From: David van Rensburg - PC Network To: "freebsd-ipfw@freebsd.org" Thread-Topic: ipfw nat and ftp Thread-Index: AcxF+e4QywubYtWATjSGxxN2aaEJgA== Date: Tue, 19 Jul 2011 09:56:16 +0000 Message-ID: Accept-Language: en-ZA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: MIME-Version: 1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - webserv.cybersmart.co.za X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [26 6] / [26 6] X-AntiAbuse: Sender Address Domain - pcnetwork.co.za Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw nat and ftp X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 09:56:39 -0000 Hi Guys, IS there anyway to get ftp to work properly with ipfw and nat without openi= ng all high ports ? In linux I used to use a module that handled it for me. Now im getting a deny log as: Jul 19 11:49:54 bsd kernel: ipfw: 450 Deny TCP 192.168.1.99:51446 196.43.2.= 109:34049 out via rl0 Any help would be appreciated. David van Rensburg PC Network Tel: 0215107600 Fax: 0215104165 www.pcnetwork.co.za This electronic communication and the attached file(s) are subject to terms= and conditions which can be accessed on the following link: http://www.pcnetwork.co.za/terms as well as the acceptable usage policy whi= ch can be accessed on: http://www.pcnetwork.co.za/aup If you are unable to view the above, please contact support@pcnetwork.co.za= for a copy. From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 21 16:00:34 2011 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4BE0E106566C; Thu, 21 Jul 2011 16:00:34 +0000 (UTC) (envelope-from universite@ukr.net) Received: from otrada.od.ua (universite-1-pt.tunnel.tserv24.sto1.ipv6.he.net [IPv6:2001:470:27:140::2]) by mx1.freebsd.org (Postfix) with ESMTP id B2EE98FC0C; Thu, 21 Jul 2011 16:00:33 +0000 (UTC) Received: from [IPv6:2001:470:28:140:11c1:1016:bdbf:959f] ([IPv6:2001:470:28:140:11c1:1016:bdbf:959f]) (authenticated bits=0) by otrada.od.ua (8.14.4/8.14.4) with ESMTP id p6LG0R4h071439; Thu, 21 Jul 2011 19:00:27 +0300 (EEST) (envelope-from universite@ukr.net) Message-ID: <4E284D09.9060308@ukr.net> Date: Thu, 21 Jul 2011 19:00:09 +0300 From: "Vladislav V. Prodan" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11 MIME-Version: 1.0 To: net@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-92.0 required=5.0 tests=FREEMAIL_FROM,FSL_RU_URL, RDNS_NONE,SPF_SOFTFAIL,TO_NO_BRKTS_DIRECT,T_TO_NO_BRKTS_FREEMAIL, USER_IN_WHITELIST autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mary-teresa.otrada.od.ua X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (otrada.od.ua [IPv6:2001:470:28:140::5]); Thu, 21 Jul 2011 19:00:31 +0300 (EEST) Cc: ipfw@freebsd.org Subject: I want to change the ToS / DSCP on FreeBSD X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2011 16:00:34 -0000 Or until just after ng_patch(4)? Inspired by the use of the Yahoo-balancing traffic http://www.nanog.org/meetings/nanog51/presentations/Monday/NANOG51.Talk45.nanog51-Schaumann.pdf -- Vladislav V. Prodan VVP24-UANIC +380[67]4584408 +380[99]4060508 vlad11@jabber.ru From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 21 17:56:49 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 411DF106564A for ; Thu, 21 Jul 2011 17:56:49 +0000 (UTC) (envelope-from pavel@zhovner.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 191CD8FC0C for ; Thu, 21 Jul 2011 17:56:48 +0000 (UTC) Received: by iwr19 with SMTP id 19so1486749iwr.13 for ; Thu, 21 Jul 2011 10:56:48 -0700 (PDT) Received: by 10.143.21.26 with SMTP id y26mr244084wfi.68.1311269313123; Thu, 21 Jul 2011 10:28:33 -0700 (PDT) MIME-Version: 1.0 Received: by 10.143.31.19 with HTTP; Thu, 21 Jul 2011 10:28:13 -0700 (PDT) X-Originating-IP: [195.93.191.141] From: Pavel Zhovner Date: Thu, 21 Jul 2011 20:28:13 +0300 Message-ID: To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: Flush queues in pipe X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2011 17:56:49 -0000 Hello. I need to count incoming packets for each tcp connection. For this I do: ipfw pipe 1 config mask src-ip 0xffffffff dst-ip 0xffffffff buckets 1024 ipfw add pipe 1 tcp from any to me in dst-port 80 then i can see packets count for each connection by typing "ipfw pipe 1 show" But i can't find how to flush all queues in pipe. The following commands ipfw pipe zero ipfw queue zero returns "Accounting cleared" but nothing actually happend. I try it on freebsd 7.3 and 8.2