From owner-freebsd-ipfw@freebsd.org Sun Jun 3 21:00:46 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EA102FD52E8 for ; Sun, 3 Jun 2018 21:00:45 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 7EC5A7C473 for ; Sun, 3 Jun 2018 21:00:45 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id 38E31FD52DD; Sun, 3 Jun 2018 21:00:45 +0000 (UTC) Delivered-To: ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 26BD5FD52DC for ; Sun, 3 Jun 2018 21:00:45 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B6B4F7C466 for ; Sun, 3 Jun 2018 21:00:44 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id E97152CC8B for ; Sun, 3 Jun 2018 21:00:43 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w53L0hNB076712 for ; Sun, 3 Jun 2018 21:00:43 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w53L0hCZ076699 for ipfw@FreeBSD.org; Sun, 3 Jun 2018 21:00:43 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201806032100.w53L0hCZ076699@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: ipfw@FreeBSD.org Subject: Problem reports for ipfw@FreeBSD.org that need special attention Date: Sun, 3 Jun 2018 21:00:43 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jun 2018 21:00:46 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- New | 215875 | [ipfw] ipfw lookup tables do not support mbuf_tag 1 problems total for which you should take action. From owner-freebsd-ipfw@freebsd.org Wed Jun 6 17:36:07 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BCF76FDBF32 for ; Wed, 6 Jun 2018 17:36:07 +0000 (UTC) (envelope-from driesm.michiels@gmail.com) Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 30DD97ED7C for ; Wed, 6 Jun 2018 17:36:07 +0000 (UTC) (envelope-from driesm.michiels@gmail.com) Received: by mail-wm0-x236.google.com with SMTP id j15-v6so13670804wme.0 for ; Wed, 06 Jun 2018 10:36:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version:content-language :thread-index; bh=HooFx/sVKb1W13jEPd12bvcptouORADFatIVHnCqDMc=; b=ON5NVzygF4VTLnmrI/Lkx6eDcqHn9FHgtRHe8cLS1sHEUYWMmkskzah+tqXKF34SR9 XNM1oC89CsGVd/Uaoqz4XQV+RCEwHkvlEP1foHZJS2jBh0v4VhVJxN6oarKUIYneeM5p Xv0qaMgaur5ad29hzUuPtkfvJgQU6vZkiDA3rBux4xq37w4n1xRJmlibNi7iB5R50e54 jfJ3+Ibf8DgL6ScuEa3heYjHit8Dir3QDREie3NtopIzCDHa4CVKL7P9n4mWGHwZmBf0 h6CzruGMXKzboUhsEs5IkHhk5H1iJMx91xs1P5UkMTkvd+culdAZbAyStDrn7i8HZfZM Oemg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-language:thread-index; bh=HooFx/sVKb1W13jEPd12bvcptouORADFatIVHnCqDMc=; b=dhdrhhdB1AKv3xN9M9Bu7nipYtWNmUY5NtUHkNxzorOVDSV8OmzqYFu5wzYiQs02uO S7tHaLr6OCvi5ZUOXtE67gwGolxQ5CgwpMnpgFDx8hh7HQch5EC920VKMsVQlH0Shc3E rbP8nXqbWb2Jk2X0g5NV8mcf8PEKviKlKrAHdiviCquQf1djAJEJ8FUL6wM0KXJjQt5a h68e1BhiUjxmO6g10n+y+3HJDlQuKgbV/i5rHLGjLedf9/B1fMxgvs4mEJsjl2QrDueW /b02dP9PVcVtvq6QIF8qY12C1UEaKuG9MpkfL1NGsIfz79g7d0Vyl5k72odoKt0oNQRr tkQA== X-Gm-Message-State: APt69E0CmhnE8a7NwahRULehUv8JapO0HWWXwFkaAA2ALTeH9FoWdHgG +Zvd2rLp23maNH7dXNDFjfiwnjsn X-Google-Smtp-Source: ADUXVKLQsbApmCyOQgVeSYkwxqwawB/3Ntb/G1YtUPCO9jTu22ElvB0QOkaPF+CPIDwdCOYZfLB6Ow== X-Received: by 2002:a1c:3f56:: with SMTP id m83-v6mr2647269wma.88.1528306565701; Wed, 06 Jun 2018 10:36:05 -0700 (PDT) Received: from DriesPC (94-224-232-102.access.telenet.be. [94.224.232.102]) by smtp.gmail.com with ESMTPSA id o53-v6sm81297824wrc.96.2018.06.06.10.36.04 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Jun 2018 10:36:04 -0700 (PDT) From: "Dries Michiels" To: Subject: Matching rules on ip4/ip6 with udp/tcp Date: Wed, 6 Jun 2018 19:36:03 +0200 Message-ID: <001001d3fdbc$d804d270$880e7750$@gmail.com> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 16.0 Content-Language: nl-be Thread-Index: AdP9vNcCBHZp3ip9TyKKRMz3xx+tdg== Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2018 17:36:08 -0000 Dear Mailing List, Is there are way to match packets specifying both network generation ip4 or ip6 together with the protocol such as tcp or udp? Currently the following rules are possible (examples): ipfw add 1 allow udp from any to me 22 in recv em0 ipfw add 1 allow ip4 from any to me 22 in recv em0 The following rule is not possible (example): ipfw add 1 allow ip4 udp from any to me 22 in recv em0 Is there a workaround for this or some reason why this hasn't been implemented? Or do I simply not have the rule syntax right. Regards, Dries From owner-freebsd-ipfw@freebsd.org Wed Jun 6 18:01:00 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 26A86FDCAA4 for ; Wed, 6 Jun 2018 18:01:00 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-lf0-x232.google.com (mail-lf0-x232.google.com [IPv6:2a00:1450:4010:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7F8C77F6BC for ; Wed, 6 Jun 2018 18:00:59 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by mail-lf0-x232.google.com with SMTP id v135-v6so10475784lfa.9 for ; Wed, 06 Jun 2018 11:00:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9YfAz3+vnW2cIhuqlR4hfdCOA9L/RWoukLPx2v6bq9I=; b=MaT3iS/qCBlDcgathAyYHzYsE89XKnjn8cieb8xuIqUljdrBz4AXa7RnyY2uKcKvjU dtpdyn8nHdiUsoQZ1pCC3mEcLib9St+eJc2ciUY9uXFitUI0VWPvosIZG+Yp+Lw+AnRW +0w1uCKZnf0m/2mlUVOwvCy6b5hgYeIQRYVREG53WifAOFY7pPn6g1Xyfd1h3lawZxOm aSYlZaH98YJWxj9ANHWChFlBRbcnu4bWG0hvC98quJ1nyOhmifR/uLvVrsHdmXRjvTCj uB4m8C66c1JQQ54QnP3tSD0DRcEKcqgH/+eYcqscPK2Ons+1g7tFZJvUUuX2sT1qXc7/ ABMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9YfAz3+vnW2cIhuqlR4hfdCOA9L/RWoukLPx2v6bq9I=; b=sSpDMPao5DbJdagcHNRxX1IDwIs/NJRC6lJOKIYuCTOPJhAUWNc4xbEeI426+UhCoZ heN4sqTNkHSyE6frFN+/lAcl/hbsSgm3hqAYJrWoUThJEgEIQQJaAdkTbiL6PiwmPJCF uTuMOFXPIzfmKLpKnUUsjqj6679fdobHz8KRmU+6QS8M3XT2x0OaqLpYocXDazweozZd RnmOlTVg/YqrfzY5ZnBCqeyB9ToSl6UpW0VCWgjYImZqPxwJfb/547HjaOwjjzslpcmF xEXJQL/G+Pgt2zOkklhuvrjjp9tIvauih7LYAPsJg2gtVCp2VsasUm0pZlGu+f8PODoO 8xRQ== X-Gm-Message-State: APt69E1fJR2j4WWatYJ66haGF/rlgcOEC1m2c8HNHN30ViwcHSDW4GGd EBvMcn1H2gtNNc1uDORGdWau56fvtOZPFVOeYpw= X-Google-Smtp-Source: ADUXVKK0IncRaF2P0BFdGfJAmPm+/qX+9PmJ7vQXNE2DyBiILo6Whz5PqAZ9t/HR1WAqynvltULpLnnA4nVEIsGp0kw= X-Received: by 2002:a2e:202:: with SMTP id 2-v6mr2907403ljc.117.1528308057810; Wed, 06 Jun 2018 11:00:57 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:1114:0:0:0:0:0 with HTTP; Wed, 6 Jun 2018 11:00:57 -0700 (PDT) In-Reply-To: <001001d3fdbc$d804d270$880e7750$@gmail.com> References: <001001d3fdbc$d804d270$880e7750$@gmail.com> From: Freddie Cash Date: Wed, 6 Jun 2018 11:00:57 -0700 Message-ID: Subject: Re: Matching rules on ip4/ip6 with udp/tcp To: Dries Michiels Cc: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2018 18:01:00 -0000 On Wed, Jun 6, 2018 at 10:36 AM, Dries Michiels wrote: > Is there are way to match packets specifying both network generation ip4 = or > ip6 together with the protocol such as tcp or udp? > > Currently the following rules are possible (examples): > > ipfw add 1 allow udp from any to me 22 in recv em0 > > ipfw add 1 allow ip4 from any to me 22 in recv em0 > > > The following rule is not possible (example): > > ipfw add 1 allow ip4 udp from any to me 22 in recv em0 > > > Is there a workaround for this or some reason why this hasn't been > implemented? > > Or do I simply not have the rule syntax right. > =E2=80=8BOne of the following pairs should do what you want, although the m= an page is a little hard to parse on some of it, so they may not actually work:=E2= =80=8B =E2=80=8Bipfw add 1 allow from any to me in recv em0 proto ip4 dst-port 22= =E2=80=8B =E2=80=8Bipfw add 1 allow from any to me in recv em0 proto ip6 dst-port 22= =E2=80=8B =E2=80=8Bipfw add 1 allow udp from any to me in recv em0 proto ip4 dst-port= 22 =E2=80=8Bipfw add 1 allow udp from any to me in recv em0 proto ip6 dst-port= 22 Basically, there's a giant section in the man page about the "options" section of the rule (what goes after the interface). You can do just about anything within that section, including a lot of what could be done in the "protocol" and "source address" and "destination address" sections. =E2=80=8B-- Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@freebsd.org Wed Jun 6 18:10:59 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D8479FDCDE0 for ; Wed, 6 Jun 2018 18:10:58 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward102j.mail.yandex.net (forward102j.mail.yandex.net [5.45.198.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5220E7FC7C for ; Wed, 6 Jun 2018 18:10:58 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback17j.mail.yandex.net (mxback17j.mail.yandex.net [IPv6:2a02:6b8:0:1619::93]) by forward102j.mail.yandex.net (Yandex) with ESMTP id 6FBE5560704B; Wed, 6 Jun 2018 21:10:50 +0300 (MSK) Received: from smtp4o.mail.yandex.net (smtp4o.mail.yandex.net [2a02:6b8:0:1a2d::28]) by mxback17j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id b2uolqn6al-AoMONRW3; Wed, 06 Jun 2018 21:10:50 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1528308650; bh=kOJGLfXan3vR4DxNAUhMHGg/izJTtSYoPO2KwF0zWpU=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=hwb9EkCQqJY2LTTcXpPRJeEpCs6rxIf2EmvqHPcin+aaVkClPNuuCfuC793GzIcWR E1MUnjAhvi5QJfRTPNacNsb/IohDC43suF9W4L/ofkZ+zaxqwSw4kXIbFpYR8+VSN0 QHmKLMspuQZjiv69XacZfS4OReeEHnej5BAMYK9s= Received: by smtp4o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id 6AVctwd200-AnrupVi1; Wed, 06 Jun 2018 21:10:49 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1528308649; bh=kOJGLfXan3vR4DxNAUhMHGg/izJTtSYoPO2KwF0zWpU=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To; b=Zbwwr6a/G/1ZYAhiQiDWbflUxlT2l1vnqzDoBFLFZXikwCaCNzJyuTrYMeCjef/O4 JcWAyzk7NO6nmxXTW4pZMZyoanIXQrhpB7nKDf46FjHFDRefpOApQtwIMfQJulzBKv AblN6LiX32ad+0rmgs8YWwRNYeJPfVT7n5lOaCZs= Authentication-Results: smtp4o.mail.yandex.net; dkim=pass header.i=@yandex.ru Subject: Re: Matching rules on ip4/ip6 with udp/tcp To: Dries Michiels , freebsd-ipfw@freebsd.org References: <001001d3fdbc$d804d270$880e7750$@gmail.com> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Autocrypt: addr=bu7cher@yandex.ru; prefer-encrypt=mutual; keydata= xsBNBEwBF1kBCADB9sXFhBEUy8qQ4X63Y8eBatYMHGEFWN9ypS5lI3RE6qQW2EYbxNk7qUC5 21YIIS1mMFVBEfvR7J9uc7yaYgFCEb6Sce1RSO4ULN2mRKGHP3/Sl0ijZEjWHV91hY1YTHEF ZW/0GYinDf56sYpDDehaBF5wkWIo1+QK5nmj3vl0DIDCMNd7QEiWpyLVwECgLX2eOAXByT8B bCqVhJGcG6iFP7/B9Ll6uX5gb8thM9LM+ibwErDBVDGiOgvfxqidab7fdkh893IBCXa82H9N CNwnEtcgzh+BSKK5BgvPohFMgRwjti37TSxwLu63QejRGbZWSz3OK3jMOoF63tCgn7FvABEB AAHNIkFuZHJleSBWLiBFbHN1a292IDxhZUBmcmVlYnNkLm9yZz7CwHsEEwECACUCGwMGCwkI BwMCBhUIAgkKCwQWAgMBAh4BAheABQJMB/ruAhkBAAoJEAHF6gQQyKF6MLwH/3Ri/TZl9uo0 SepYWXOnxL6EaDVXDA+dLb1eLKC4PRBBjX29ttQ0KaWapiE6y5/AfzOPmRtHLrHYHjd/aiHX GMLHcYRXD+5GvdkK8iMALrZ28X0JXyuuZa8rAxWIWmCbYHNSBy2unqWgTI04Erodk90IALgM 9JeHN9sFqTM6zalrMnTzlcmel4kcjT3lyYw3vOKgoYLtsLhKZSbJoVVVlvRlGBpHFJI5AoYJ SyfXoN0rcX6k9X7Isp2K50YjqxV4v78xluh1puhwZyC0p8IShPrmrp9Oy9JkMX90o6UAXdGU KfdExJuGJfUZOFBTtNIMNIAKfMTjhpRhxONIr0emxxDOwE0ETAEXWQEIAJ2p6l9LBoqdH/0J PEFDY2t2gTvAuzz+8zs3R03dFuHcNbOwjvWCG0aOmVpAzkRa8egn5JB4sZaFUtKPYJEQ1Iu+ LUBwgvtXf4vWpzC67zs2dDuiW4LamH5p6xkTD61aHR7mCB3bg2TUjrDWn2Jt44cvoYxj3dz4 S49U1rc9ZPgD5axCNv45j72tggWlZvpefThP7xT1OlNTUqye2gAwQravXpZkl5JG4eOqJVIU X316iE3qso0iXRUtO7OseBf0PiVmk+wCahdreHOeOxK5jMhYkPKVn7z1sZiB7W2H2TojbmcK HZC22sz7Z/H36Lhg1+/RCnGzdEcjGc8oFHXHCxUAEQEAAcLAXwQYAQIACQUCTAEXWQIbDAAK CRABxeoEEMihegkYCAC3ivGYNe2taNm/4Nx5GPdzuaAJGKWksV+w9mo7dQvU+NmI2az5w8vw 98OmX7G0OV9snxMW+6cyNqBrVFTu33VVNzz9pnqNCHxGvj5dL5ltP160JV2zw2bUwJBYsgYQ WfyJJIM7l3gv5ZS3DGqaGIm9gOK1ANxfrR5PgPzvI9VxDhlr2juEVMZYAqPLEJe+SSxbwLoz BcFCNdDAyXcaAzXsx/E02YWm1hIWNRxanAe7Vlg7OL+gvLpdtrYCMg28PNqKNyrQ87LQ49O9 50IIZDOtNFeR0FGucjcLPdS9PiEqCoH7/waJxWp6ydJ+g4OYRBYNM0EmMgy1N85JJrV1mi5i Message-ID: <4f4df436-0ccd-4763-5c48-190569e2b45b@yandex.ru> Date: Wed, 6 Jun 2018 21:07:09 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <001001d3fdbc$d804d270$880e7750$@gmail.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="fMBq7BgNhI5lOisA3lThO2tJh3SD3jNaN" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2018 18:10:59 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --fMBq7BgNhI5lOisA3lThO2tJh3SD3jNaN Content-Type: multipart/mixed; boundary="wrmAyMWWBoRn7v6XYJL1HhOCKx2cLycwP"; protected-headers="v1" From: "Andrey V. Elsukov" To: Dries Michiels , freebsd-ipfw@freebsd.org Message-ID: <4f4df436-0ccd-4763-5c48-190569e2b45b@yandex.ru> Subject: Re: Matching rules on ip4/ip6 with udp/tcp References: <001001d3fdbc$d804d270$880e7750$@gmail.com> In-Reply-To: <001001d3fdbc$d804d270$880e7750$@gmail.com> --wrmAyMWWBoRn7v6XYJL1HhOCKx2cLycwP Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 06.06.2018 20:36, Dries Michiels wrote: > Dear Mailing List, >=20 > Is there are way to match packets specifying both network generation ip= 4 or > ip6 together with the protocol such as tcp or udp? >=20 > Currently the following rules are possible (examples): >=20 > ipfw add 1 allow udp from any to me 22 in recv em0 > > The following rule is not possible (example): >=20 > ipfw add 1 allow ip4 udp from any to me 22 in recv em0 You can use "proto" option: ipfw add 1 allow ip4 from any to me 22 in recv em0 proto tcp ipfw add 1 allow tcp from any to me 22 in recv em0 not proto ip6 ipfw add 1 allow ip6 from any to me 22 in recv em0 proto tcp --=20 WBR, Andrey V. Elsukov --wrmAyMWWBoRn7v6XYJL1HhOCKx2cLycwP-- --fMBq7BgNhI5lOisA3lThO2tJh3SD3jNaN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlsYIs0ACgkQAcXqBBDI oXqDGAf/Zhnvz6GvXrNIdSFMS16UTBWxL9X1gJUVR3ySKVFynH7ZgHNNy2MMNkW8 UW679aY8AK+78/tHuhFyDcUUMGs349C8CQiehGLXhtyUp5nxBzCOvRQ9cD7z1jG5 HgVFXuY6OP0jgAeFBey6r37zt0rGn9/fsqGRRJsgOSmyLQ1LBnCDwt8SnYrPMNe8 fGRWALVFNOiAOQbJZcc5F7vWJUh1hsIKVv1YiORPUi9sydQU/PUjEsysjMzAfm1u 5mJxgRTnMiMv/+ZUMYeyQHJtfiFFJM2+aIY3fH5IwLKek9o7PRPMOMzY/NxUzsHi pi4josEJtbRdOk06byQslFWf8nexMQ== =g2Wz -----END PGP SIGNATURE----- --fMBq7BgNhI5lOisA3lThO2tJh3SD3jNaN-- From owner-freebsd-ipfw@freebsd.org Wed Jun 6 18:14:02 2018 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9B077FDD0D5 for ; Wed, 6 Jun 2018 18:14:02 +0000 (UTC) (envelope-from driesm.michiels@gmail.com) Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 096937FF04 for ; Wed, 6 Jun 2018 18:14:02 +0000 (UTC) (envelope-from driesm.michiels@gmail.com) Received: by mail-wm0-x229.google.com with SMTP id q4-v6so24026277wmq.1 for ; Wed, 06 Jun 2018 11:14:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-language:thread-index; bh=arCqwCt0TKmTLkSKOLJK52kv2ydq3CwdNniqjqveBfg=; b=Ce3iGnP6UtE174roEAdiwD5hovKFxdh2wUMzp9MHicQ60P7pQfmp+aAiFi8KB+oFcl k9KszE1T+ZiTwLFQUeblKTKzZs5GNITbk52GkJIaG/h9Rm5zMAZu9E6UtZoBgHxeMTbQ SWyliyOLmqoALnwu+4C94S7my9lfYu+/KKTaIfcVteaAk1lgc1MbRWSAR6/mTkPv3uj3 a9lk6ZbsCjenuEDhmzG1uPTV3Ae+7ezxItL38G2gvSO5fOKvGU5VU+W9+hPWemYlOUNi x6O/RWK6J+ezCZdQfRMbofxxxS9QO6+h2tAKZzD3yfPnfYm40EDoq5G4o9ci76sCqM9q W5Rg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-language:thread-index; bh=arCqwCt0TKmTLkSKOLJK52kv2ydq3CwdNniqjqveBfg=; b=MQgnV/IFkFSnw5flDchhUWn4wpDytoSqkgLr/H44/jpssfGC0yOFD6FhJad5qLS52O rjGnccmkzMiOem732fJ1zqf77N+CCzhsjYvf3jGk3CXyPkslR3Fp8lgIqF+Nmwp8QzIL 6BvWT2ejzsOONH2WFN/rcXOYVQXqNK/FsEcxlIAVIr7kfZOlz5JAGdvDBTwKIUma/d2J U3mzNtZ1rlWBcO2f7vitZKTse9JOD4201DSUEwKCfpMAbVlM3GsnlLlqsUU9XXLxJFxw ea7U/t+RGDT5y87zVZKBtuPEg/FjePfdugDEtSHCc/2EsS2geeMAPD/iXTBTD7Gdqc7M rXxw== X-Gm-Message-State: APt69E2XhuCWukGhKbO1nW8Xfwh0/V1nyM0eVy4+8HyG/ugeetHchAGQ s06TMo1rbIXvXGcos5dFXf8= X-Google-Smtp-Source: ADUXVKIL5KmoEIlj5HwnWby6otxvDyHUdUZIS937O8psgShN3p6I5b2MWyLHfv6P5fknYDRoOKXFKQ== X-Received: by 2002:aa7:d44f:: with SMTP id q15-v6mr4914750edr.170.1528308840665; Wed, 06 Jun 2018 11:14:00 -0700 (PDT) Received: from DriesPC (94-224-232-102.access.telenet.be. [94.224.232.102]) by smtp.gmail.com with ESMTPSA id m42-v6sm7265820edc.94.2018.06.06.11.13.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Jun 2018 11:13:59 -0700 (PDT) From: "Dries Michiels" To: "'Freddie Cash'" Cc: References: <001001d3fdbc$d804d270$880e7750$@gmail.com> In-Reply-To: Subject: RE: Matching rules on ip4/ip6 with udp/tcp Date: Wed, 6 Jun 2018 20:13:59 +0200 Message-ID: <001901d3fdc2$2446d160$6cd47420$@gmail.com> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 16.0 Content-Language: nl-be Thread-Index: AQGOWVsjV7Skhqdcp2bbp+c8ZmdWUgJ2qjK9pMsay2A= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jun 2018 18:14:02 -0000 Tried out the variations you mentioned and they work just great.=20 =20 Thank you! Dries =20 =20 From: Freddie Cash =20 Sent: woensdag 6 juni 2018 20:01 To: Dries Michiels Cc: freebsd-ipfw@freebsd.org Subject: Re: Matching rules on ip4/ip6 with udp/tcp =20 On Wed, Jun 6, 2018 at 10:36 AM, Dries Michiels = > wrote: Is there are way to match packets specifying both network generation ip4 = or ip6 together with the protocol such as tcp or udp? Currently the following rules are possible (examples): ipfw add 1 allow udp from any to me 22 in recv em0 ipfw add 1 allow ip4 from any to me 22 in recv em0 The following rule is not possible (example): ipfw add 1 allow ip4 udp from any to me 22 in recv em0 Is there a workaround for this or some reason why this hasn't been implemented?=20 Or do I simply not have the rule syntax right. =20 =E2=80=8BOne of the following pairs should do what you want, although = the man page is a little hard to parse on some of it, so they may not = actually work:=E2=80=8B =20 =E2=80=8Bipfw add 1 allow from any to me in recv em0 proto ip4 dst-port = 22=E2=80=8B =E2=80=8Bipfw add 1 allow from any to me in recv em0 proto ip6 dst-port = 22=E2=80=8B =20 =E2=80=8Bipfw add 1 allow udp from any to me in recv em0 proto ip4 = dst-port 22 =E2=80=8Bipfw add 1 allow udp from any to me in recv em0 proto ip6 = dst-port 22 =20 Basically, there's a giant section in the man page about the "options" = section of the rule (what goes after the interface). You can do just = about anything within that section, including a lot of what could be = done in the "protocol" and "source address" and "destination address" = sections. =E2=80=8B--=20 Freddie Cash fjwcash@gmail.com =20