From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 21 11:06:47 2013 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 3C280C88 for ; Mon, 21 Jan 2013 11:06:47 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 2E17471D for ; Mon, 21 Jan 2013 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r0LB6lKP054101 for ; Mon, 21 Jan 2013 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r0LB6khg054099 for freebsd-ipfw@FreeBSD.org; Mon, 21 Jan 2013 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 21 Jan 2013 11:06:46 GMT Message-Id: <201301211106.r0LB6khg054099@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jan 2013 11:06:47 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/174749 ipfw Unexpected change of default route o kern/169206 ipfw [ipfw] ipfw does not flush entries in table o conf/167822 ipfw [ipfw] [patch] start script doesn't load firewall_type o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165939 ipfw [ipw] bug: incomplete firewall rules loaded if tables o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. f kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o bin/65961 ipfw [ipfw] ipfw2 memory corruption inside add() o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 44 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 24 17:16:54 2013 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id ED83A530 for ; Thu, 24 Jan 2013 17:16:54 +0000 (UTC) (envelope-from jake.guffey@eprotex.com) Received: from ePMPSDMZ01X.eprotex.com (IP-216-37-5-64.nframe.net [216.37.5.64]) by mx1.freebsd.org (Postfix) with ESMTP id B0FE885A for ; Thu, 24 Jan 2013 17:16:54 +0000 (UTC) Received: from 165.sub-174-255-96.myvzw.com (HELO [172.20.10.7]) ([174.255.96.165]) by ePMPSDMZ01X.eprotex.com with ESMTP/TLS/AES128-SHA; 24 Jan 2013 12:16:53 -0500 From: Jake Guffey Subject: IPFW divert with layer 2 interfaces Message-Id: <425A98A2-634D-40B8-8D67-6D775D32A499@eprotex.com> Date: Thu, 24 Jan 2013 12:16:54 -0500 To: ipfw@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) X-Mailer: Apple Mail (2.1499) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2013 17:16:55 -0000 Hi: I am working on a network appliance based on FreeBSD, IPFW, and = Suricata. In the scenario that I'm developing for, I need to divert = packets sent over a layer 2 bridge for IPS processing. After = reinjection, IPFW passes this traffic back to FreeBSD for layer 3 = forwarding. I would like to get this working for layer 2 forwarding = across the bridge interface(s) involved. I saw = http://freebsd.1045724.n5.nabble.com/patch-RFC-allow-divert-from-layer-2-i= pfw-e-g-bridge-td4008335.html from quite some time ago (2006), and that = one of the responders said that he didn't want to commit layer 2 = diversion support before layer 2 packet filtering hooks were put in = place. To my understanding (please correct me if I'm wrong), the pfil = hooks he was referring to are in place now. Is there something I can do to help make this happen? I am very rusty = with C and will probably not be much help coding, but anything else, I'd = be glad to do. I suppose that I could give coding this support a shot, = with (likely) a bit of hand-holding from you. The company that I work for has allocated budget for consulting, so I = would be glad to help fund development if that's an issue. Thanks, Jake Guffey Network Security Engineer eProtex Network medical device security 5451 Lakeview Parkway S Drive Indianapolis, Indiana 46268, USA Mobile: 317-220-7100 jake.guffey@eprotex.com www.eprotex.com From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 24 17:38:34 2013 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id DC341E48 for ; Thu, 24 Jan 2013 17:38:34 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 9A89C9A4 for ; Thu, 24 Jan 2013 17:38:34 +0000 (UTC) Received: from jre-mbp-2.int.fusionio.com ([216.51.42.66]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id r0OHc3kx085669 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 24 Jan 2013 09:38:03 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <51017174.6040205@freebsd.org> Date: Thu, 24 Jan 2013 10:37:56 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130107 Thunderbird/17.0.2 MIME-Version: 1.0 To: Jake Guffey Subject: Re: IPFW divert with layer 2 interfaces References: <425A98A2-634D-40B8-8D67-6D775D32A499@eprotex.com> In-Reply-To: <425A98A2-634D-40B8-8D67-6D775D32A499@eprotex.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org, Doug Ambrisko X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2013 17:38:34 -0000 On 1/24/13 10:16 AM, Jake Guffey wrote: > Hi: > > I am working on a network appliance based on FreeBSD, IPFW, and Suricata. In the scenario that I'm developing for, I need to divert packets sent over a layer 2 bridge for IPS processing. After reinjection, IPFW passes this traffic back to FreeBSD for layer 3 forwarding. I would like to get this working for layer 2 forwarding across the bridge interface(s) involved. > > I saw http://freebsd.1045724.n5.nabble.com/patch-RFC-allow-divert-from-layer-2-ipfw-e-g-bridge-td4008335.html from quite some time ago (2006), and that one of the responders said that he didn't want to commit layer 2 diversion support before layer 2 packet filtering hooks were put in place. To my understanding (please correct me if I'm wrong), the pfil hooks he was referring to are in place now. hithere.. The original code you refer to was written by Ironport (now cisco) after lookign at similar code bu imimic (then ironport, now cisco :-)) for use in their web filter appliance. It did work well, however I'm not in that field any more so I can't justify work time in getting it up to date.. Nor o I have access any more to test machines that I can test the result with. It may be worth asking Doug Ambrisko what the current version of the code looks like.. We had permission to give it back (hense the email) but it never got put into the tree. > Is there something I can do to help make this happen? I am very rusty with C and will probably not be much help coding, but anything else, I'd be glad to do. I suppose that I could give coding this support a shot, with (likely) a bit of hand-holding from you. > > The company that I work for has allocated budget for consulting, so I would be glad to help fund development if that's an issue. > > Thanks, > Jake Guffey > Network Security Engineer > > eProtex > Network medical device security > > 5451 Lakeview Parkway S Drive > Indianapolis, Indiana 46268, USA > Mobile: 317-220-7100 > jake.guffey@eprotex.com > www.eprotex.com > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 24 17:41:28 2013 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 499B8FC1 for ; Thu, 24 Jan 2013 17:41:28 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 083C49DD for ; Thu, 24 Jan 2013 17:41:27 +0000 (UTC) Received: from jre-mbp-2.int.fusionio.com ([216.51.42.66]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id r0OHfLPh085681 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 24 Jan 2013 09:41:22 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <5101723C.1080104@freebsd.org> Date: Thu, 24 Jan 2013 10:41:16 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130107 Thunderbird/17.0.2 MIME-Version: 1.0 To: Jake Guffey Subject: Re: IPFW divert with layer 2 interfaces References: <425A98A2-634D-40B8-8D67-6D775D32A499@eprotex.com> <51017174.6040205@freebsd.org> In-Reply-To: <51017174.6040205@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org, Doug Ambrisko X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2013 17:41:28 -0000 On 1/24/13 10:37 AM, Julian Elischer wrote: > On 1/24/13 10:16 AM, Jake Guffey wrote: >> Hi: >> >> I am working on a network appliance based on FreeBSD, IPFW, and >> Suricata. In the scenario that I'm developing for, I need to divert >> packets sent over a layer 2 bridge for IPS processing. After >> reinjection, IPFW passes this traffic back to FreeBSD for layer 3 >> forwarding. I would like to get this working for layer 2 forwarding >> across the bridge interface(s) involved. >> >> I saw >> http://freebsd.1045724.n5.nabble.com/patch-RFC-allow-divert-from-layer-2-ipfw-e-g-bridge-td4008335.html >> from quite some time ago (2006), and that one of the responders >> said that he didn't want to commit layer 2 diversion support before >> layer 2 packet filtering hooks were put in place. To my >> understanding (please correct me if I'm wrong), the pfil hooks he >> was referring to are in place now. > > hithere.. > The original code you refer to was written by Ironport (now cisco) > after lookign at similar code bu imimic (then ironport, now cisco > :-)) for use in their > web filter appliance. > > It did work well, however I'm not in that field any more so I can't > justify work time in getting it up to date.. > Nor o I have access any more to test machines that I can test the > result with. > > It may be worth asking Doug Ambrisko what the current version of > the code looks like.. We had permission to > give it back (hense the email) but it never got put into the tree. I will add that I think the original code was written for the "old" bridge code and not if_bridge. > >> Is there something I can do to help make this happen? I am very >> rusty with C and will probably not be much help coding, but >> anything else, I'd be glad to do. I suppose that I could give >> coding this support a shot, with (likely) a bit of hand-holding >> from you. >> >> The company that I work for has allocated budget for consulting, so >> I would be glad to help fund development if that's an issue. >> >> Thanks, >> Jake Guffey >> Network Security Engineer >> >> eProtex >> Network medical device security >> >> 5451 Lakeview Parkway S Drive >> Indianapolis, Indiana 46268, USA >> Mobile: 317-220-7100 >> jake.guffey@eprotex.com >> www.eprotex.com >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to >> "freebsd-ipfw-unsubscribe@freebsd.org" >> >> > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 24 18:49:31 2013 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 491BD771; Thu, 24 Jan 2013 18:49:31 +0000 (UTC) (envelope-from jake.guffey@eprotex.com) Received: from ePMPSDMZ01X.eprotex.com (IP-216-37-5-64.nframe.net [216.37.5.64]) by mx1.freebsd.org (Postfix) with ESMTP id 1119AE1E; Thu, 24 Jan 2013 18:49:30 +0000 (UTC) Received: from 165.sub-174-255-96.myvzw.com (HELO [172.20.10.7]) ([174.255.96.165]) by ePMPSDMZ01X.eprotex.com with ESMTP/TLS/AES128-SHA; 24 Jan 2013 13:49:29 -0500 Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: Re: IPFW divert with layer 2 interfaces From: Jake Guffey In-Reply-To: <51017174.6040205@freebsd.org> Date: Thu, 24 Jan 2013 13:49:31 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <425A98A2-634D-40B8-8D67-6D775D32A499@eprotex.com> <51017174.6040205@freebsd.org> To: Julian Elischer X-Mailer: Apple Mail (2.1499) Cc: ipfw@freebsd.org, Doug Ambrisko X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2013 18:49:31 -0000 Thanks for the response, Julian. Any thoughts, Doug? Thanks, Jake Guffey Network Security Engineer eProtex Network medical device security 5451 Lakeview Parkway S Drive Indianapolis, Indiana 46268, USA Mobile: 317-220-7100 jake.guffey@eprotex.com www.eprotex.com On Jan 24, 2013, at 12:37 PM, Julian Elischer = wrote: > On 1/24/13 10:16 AM, Jake Guffey wrote: >> Hi: >>=20 >> I am working on a network appliance based on FreeBSD, IPFW, and = Suricata. In the scenario that I'm developing for, I need to divert = packets sent over a layer 2 bridge for IPS processing. After = reinjection, IPFW passes this traffic back to FreeBSD for layer 3 = forwarding. I would like to get this working for layer 2 forwarding = across the bridge interface(s) involved. >>=20 >> I saw = http://freebsd.1045724.n5.nabble.com/patch-RFC-allow-divert-from-layer-2-i= pfw-e-g-bridge-td4008335.html from quite some time ago (2006), and that = one of the responders said that he didn't want to commit layer 2 = diversion support before layer 2 packet filtering hooks were put in = place. To my understanding (please correct me if I'm wrong), the pfil = hooks he was referring to are in place now. >=20 > hithere.. > The original code you refer to was written by Ironport (now cisco) = after lookign at similar code bu imimic (then ironport, now cisco :-)) = for use in their > web filter appliance. >=20 > It did work well, however I'm not in that field any more so I can't = justify work time in getting it up to date.. > Nor o I have access any more to test machines that I can test the = result with. >=20 > It may be worth asking Doug Ambrisko what the current version of the = code looks like.. We had permission to > give it back (hense the email) but it never got put into the tree. >=20 >> Is there something I can do to help make this happen? I am very rusty = with C and will probably not be much help coding, but anything else, I'd = be glad to do. I suppose that I could give coding this support a shot, = with (likely) a bit of hand-holding from you. >>=20 >> The company that I work for has allocated budget for consulting, so I = would be glad to help fund development if that's an issue. >>=20 >> Thanks, >> Jake Guffey >> Network Security Engineer >>=20 >> eProtex >> Network medical device security >>=20 >> 5451 Lakeview Parkway S Drive >> Indianapolis, Indiana 46268, USA >> Mobile: 317-220-7100 >> jake.guffey@eprotex.com >> www.eprotex.com >>=20 >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to = "freebsd-ipfw-unsubscribe@freebsd.org" >>=20 >>=20 >=20