From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 23 11:07:06 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4118F1065672 for ; Mon, 23 Jan 2012 11:07:06 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2EECF8FC19 for ; Mon, 23 Jan 2012 11:07:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0NB767K080982 for ; Mon, 23 Jan 2012 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0NB75XN080980 for freebsd-ipfw@FreeBSD.org; Mon, 23 Jan 2012 11:07:05 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 23 Jan 2012 11:07:05 GMT Message-Id: <201201231107.q0NB75XN080980@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 11:07:06 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/163873 ipfw [ipfw] ipfw fwd does not work with 'via interface' in o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o f kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 41 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 27 12:00:06 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 15F15106564A for ; Fri, 27 Jan 2012 12:00:06 +0000 (UTC) (envelope-from timp87@gmail.com) Received: from mail-lpp01m010-f54.google.com (mail-lpp01m010-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id 8423B8FC12 for ; Fri, 27 Jan 2012 12:00:05 +0000 (UTC) Received: by lahj13 with SMTP id j13so1254604lah.13 for ; Fri, 27 Jan 2012 04:00:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=v0Ssq7MRgRe76XJGVeTf12FeKv2rSw6tHuBPt/+WlGo=; b=udqTz7ZIXzGabxIC0IgI2PtQSqTIT+WTaCFQL7csDjTgtLDUv6WdJCJWLBji2R/sCc tNXd1egV7xWMJ1qrjgOj8vm5HeP/ejLePC87oXgcScEmgX6raVdaFCO0DQwtG/akfbaI uylwaxDvfAvOruCB1mNkR+onF4j880BWVhKdY= MIME-Version: 1.0 Received: by 10.152.112.100 with SMTP id ip4mr3028834lab.11.1327663748587; Fri, 27 Jan 2012 03:29:08 -0800 (PST) Received: by 10.152.147.36 with HTTP; Fri, 27 Jan 2012 03:29:08 -0800 (PST) Date: Fri, 27 Jan 2012 15:29:08 +0400 Message-ID: From: Pavel Timofeev To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: firewall_nat_enable in rc.firewall X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2012 12:00:06 -0000 Hi all! I have a small correction for /etc/rc.firewall My conf [hostname]# grep firewall /etc/rc.conf firewall_enable="YES" firewall_type="open" firewall_nat_enable="YES" firewall_nat_interface="re0" firewall_nat_flags="same_ports reset" [hostname]# ipfw show 00050 5175447 4519882589 nat 123 ip4 from any to any via re0 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 deny ip from any to ::1 00500 0 0 deny ip from ::1 to any 00600 0 0 allow ipv6-icmp from :: to ff02::/16 00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 1 76 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 65000 174 31790 allow ip from any to any 65535 0 0 deny ip from any to any It seems to me very strange that first rule is nat rule. Because the following rules won't be passed and they looks useless. What do you think about this? # diff -u /etc/rc.firewall /etc/rc.firewall.new --- /etc/rc.firewall 2012-01-03 11:57:38.000000000 +0400 +++ /etc/rc.firewall.new 2012-01-27 11:53:40.000000000 +0400 @@ -169,7 +169,7 @@ firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}" fi ${fwcmd} nat 123 config log ${firewall_nat_flags} - ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface} + ${fwcmd} add 64900 nat 123 ip4 from any to any via ${firewall_nat_interface} fi ;; esac There are some situations when I want use firewall_coscripts="/etc/ipfw.sh", that stores banned ip addresses and ports. If nat rule were 64900, I'd had more numbers for my own rules. I hope you are understand my english =) From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 27 19:23:52 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C02841065675 for ; Fri, 27 Jan 2012 19:23:52 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 1A7428FC0A for ; Fri, 27 Jan 2012 19:23:51 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id q0RJNnio014897; Sat, 28 Jan 2012 06:23:49 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 28 Jan 2012 06:23:49 +1100 (EST) From: Ian Smith To: Pavel Timofeev In-Reply-To: Message-ID: <20120128053304.W13367@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org Subject: Re: firewall_nat_enable in rc.firewall X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2012 19:23:52 -0000 On Fri, 27 Jan 2012, Pavel Timofeev wrote: > Hi all! > > I have a small correction for /etc/rc.firewall > > My conf > [hostname]# grep firewall /etc/rc.conf > firewall_enable="YES" > firewall_type="open" > firewall_nat_enable="YES" > firewall_nat_interface="re0" > firewall_nat_flags="same_ports reset" > > [hostname]# ipfw show > 00050 5175447 4519882589 nat 123 ip4 from any to any via re0 > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 deny ip from any to ::1 > 00500 0 0 deny ip from ::1 to any > 00600 0 0 allow ipv6-icmp from :: to ff02::/16 > 00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10 > 00800 1 76 allow ipv6-icmp from fe80::/10 to ff02::/16 > 00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1 > 01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 > 65000 174 31790 allow ip from any to any > 65535 0 0 deny ip from any to any > > It seems to me very strange that first rule is nat rule. No, that's the right place (for this simple open one-rule nat setup). > Because the following rules won't be passed and they looks useless. Make sure your 'sysctl net.inet.ip.fw.one_pass' is set to 0. If not, run 'ipfw disable one_pass', and/or add 'net.inet.ip.fw.one_pass=0' to /etc/sysctl.conf to make it so, in order that all packets continue on through the rest of the ruleset after NAT translation. Those rules are far from useless. The localhost rules allow proper and deny improper traffic via localhost, and the ipv6-icmp rules are deemed necessary. (So should be some ipv4 icmp but that's another issue, and here you wind up allowing everything else including icmp anyway ..) > What do you think about this? > # diff -u /etc/rc.firewall /etc/rc.firewall.new > --- /etc/rc.firewall 2012-01-03 11:57:38.000000000 +0400 > +++ /etc/rc.firewall.new 2012-01-27 11:53:40.000000000 +0400 > @@ -169,7 +169,7 @@ > firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}" > fi > ${fwcmd} nat 123 config log ${firewall_nat_flags} > - ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface} > + ${fwcmd} add 64900 nat 123 ip4 from any to any via ${firewall_nat_interface} > fi > ;; > esac Doing that means any subsequent rules added without a specified rule number would be added after 64900. This section is used for other than 'open' firewall_type, and the placement of the NAT rule/s is crucial. > There are some situations when I want use > firewall_coscripts="/etc/ipfw.sh", that stores banned ip addresses and > ports. > If nat rule were 64900, I'd had more numbers for my own rules. > I hope you are understand my english =) I doubt firewall_coscripts is the best mechanism for that sort of thing, it's more for other scripts (like natd) that need to be loaded and later unloaded in correct order when enabling / disabling the firewall. In any case you could start numbering your own rules from (say) 2000, either included in rc.firewall or probably better, in a separate script, in which case you'd need to number every rule (to stay below here 65000) I'd likely add something like this to rc.firewall before line 65000: [ -r /root/bin/myipfwconfig ] && . /root/bin/myipfwconfig and have that file add (could be) unnumbered rules for your local additions, after the nat and essential localhost etc rules above. cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 28 16:00:29 2012 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10A8D106566B for ; Sat, 28 Jan 2012 16:00:29 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EDE4E8FC12 for ; Sat, 28 Jan 2012 16:00:28 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0SG0SjM036273 for ; Sat, 28 Jan 2012 16:00:28 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0SG0SNP036270; Sat, 28 Jan 2012 16:00:28 GMT (envelope-from gnats) Date: Sat, 28 Jan 2012 16:00:28 GMT Message-Id: <201201281600.q0SG0SNP036270@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: =?windows-1251?B?yu7t/Oru4iDF4uPl7ejp?= Cc: Subject: Re: kern/156770: [ipfw] [dummynet] [patch]: performance improvement and several extensions X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?windows-1251?B?yu7t/Oru4iDF4uPl7ejp?= List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jan 2012 16:00:29 -0000 The following reply was made to PR kern/156770; it has been noted by GNATS. From: =?windows-1251?B?yu7t/Oru4iDF4uPl7ejp?= To: bug-followup@FreeBSD.org, alter@alter.org.ua Cc: Subject: Re: kern/156770: [ipfw] [dummynet] [patch]: performance improvement and several extensions Date: Sat, 28 Jan 2012 17:58:56 +0200 Hi, Team. Do you plan to port this patch to FreeBSD-10 or 9? It will be veri nice especially this feature: # it is possible to use bmap instead of port list. It gives performance benefit when you have large list of services. Lookup time doesn't depend on list size. Rather useful to QoS game traffic. From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 28 16:48:54 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 863A51065672 for ; Sat, 28 Jan 2012 16:48:54 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 421BE8FC12 for ; Sat, 28 Jan 2012 16:48:54 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 268487300A; Sat, 28 Jan 2012 18:06:20 +0100 (CET) Date: Sat, 28 Jan 2012 18:06:20 +0100 From: Luigi Rizzo To: ??????? ??????? Message-ID: <20120128170620.GA24446@onelab2.iet.unipi.it> References: <201201281600.q0SG0SNP036270@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201201281600.q0SG0SNP036270@freefall.freebsd.org> User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: kern/156770: [ipfw] [dummynet] [patch]: performance improvement and several extensions X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jan 2012 16:48:54 -0000 On Sat, Jan 28, 2012 at 04:00:28PM +0000, ??????? ??????? wrote: > The following reply was made to PR kern/156770; it has been noted by GNATS. > > From: =?windows-1251?B?yu7t/Oru4iDF4uPl7ejp?= > To: bug-followup@FreeBSD.org, alter@alter.org.ua > Cc: > Subject: Re: kern/156770: [ipfw] [dummynet] [patch]: performance improvement and several extensions > Date: Sat, 28 Jan 2012 17:58:56 +0200 > > Hi, Team. > > Do you plan to port this patch to FreeBSD-10 or 9? > It will be veri nice > > especially this feature: > # it is possible to use bmap instead of port list. It gives performance benefit when you have large list of services. Lookup time doesn't depend on list size. Rather useful to QoS game traffic. not as is. Way too many pieces, many are interesting, from the description some of them are already in. If someone can submit smaller patches for the individual features (such as port maps, fast tags etc) then i can certainly consider adding some of them.