From owner-freebsd-questions Wed Aug 1 11: 2:33 2001 Delivered-To: freebsd-questions@freebsd.org Received: from nipsi.home.net (dsl-213-023-032-126.arcor-ip.net [213.23.32.126]) by hub.freebsd.org (Postfix) with SMTP id 8E50237B401 for ; Wed, 1 Aug 2001 11:02:20 -0700 (PDT) (envelope-from HypnotiZer@gmx.net) Received: (qmail 45278 invoked from network); 1 Aug 2001 18:01:00 -0000 Received: from nachpolierer.home.net (HELO nachpolierer) (172.16.1.101) by nipsi.home.net with SMTP; 1 Aug 2001 18:01:00 -0000 Message-ID: <000801c11ab4$8b25a4a0$650110ac@nachpolierer> From: "Dennis Berger" To: Subject: convert ruleset from IPF to IPFW Date: Wed, 1 Aug 2001 20:05:27 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0005_01C11AC5.4E979140" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C11AC5.4E979140 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, I have the following ruleset build, but it still doesn't work = without rule 150 and I have no idea why... I mean why the hell the packet can't come back although the dynamic = rules are build. And udp traffic is also denied back in to my clients I set net.inet.ip.fw.one_pass=3D0 to ensure that a packet is not = terminated by the pipe. Or maybe somebody can help me to convert my existing IPF ruleset to IPFW I' would like to do this cause I need a traffic-shaper and under freebsd = ALTQ doesn't work with the tun-device.=20 "/etc/ipf.rules" block in log all block out log all pass in on lo0 all pass out on lo0 all pass in on xl0 all pass out on xl0 all pass in on rl0 all pass out on rl0 all =20 block in log quick on tun0 from 192.168.0.0/16 to any block in log quick on tun0 from 172.16.0.0/12 to any block in log quick on tun0 from 10.0.0.0/8 to any block in log quick on tun0 from 127.0.0.0/8 to any block in log quick on tun0 from 0.0.0.0/8 to any block in log quick on tun0 from 169.254.0.0/16 to any block in log quick on tun0 from 192.0.2.0/24 to any block in log quick on tun0 from 204.152.64.0/23 to any block in log quick on tun0 from 224.0.0.0/3 to any pass in quick on tun0 proto icmp from any to any icmp-type 0 pass in quick on tun0 proto icmp from any to any icmp-type 11 pass in quick on tun0 proto tcp from any to any port =3D 22 flags S = keep state keep frags pass in quick on tun0 proto tcp from any to any port =3D 80 flags S = keep state keep frags pass in quick on tun0 proto tcp from any to any port =3D 443 flags S = keep state keep frags pass in quick on tun0 proto tcp from any to any port =3D 21 flags S = keep state keep frags pass in quick on tun0 proto tcp from any port > 1023 to any port 49152 = >< 65535 flags S keep state keep frags=20 block out quick on tun0 proto udp from any to 192.246.40.56=20 block out log quick on tun0 proto tcp from any to any port 6666 >< 6670 pass out quick on tun0 proto tcp from any to any flags S keep state pass out quick on tun0 proto udp from any to any keep state pass out quick on tun0 proto icmp from any to any keep state "/etc/natd.cf" redirect_port udp 127.0.0.1:27952 192.246.40.56:27952 use_sockets yes unregistered_only no=20 interface tun0 dynamic yes same_ports yes punch_fw 500:100 "/etc/ipfw.rules" fwcmd=3D"/sbin/ipfw" $fwcmd -f flush $fwcmd add 20 pass all from any to any via lo0 $fwcmd add 30 pass all from any to any via rl0 $fwcmd add 40 pass all from any to any via xl0 $fwcmd add 50 deny log all from 192.168.0.0/16 to any in via tun0 $fwcmd add 60 deny log all from 172.16.0.0/12 to any in via tun0 $fwcmd add 70 deny log all from 10.0.0.0/8 to any in via tun0 $fwcmd add 80 deny log all from 127.0.0.0/8 to any in via tun0 $fwcmd add 90 deny log all from 0.0.0.0/8 to any in via tun0 $fwcmd add 100 deny log all from 169.254.0.0/16 to any in via tun0 $fwcmd add 110 deny log all from 192.0.2.0/24 to any in via tun0 $fwcmd add 120 deny log all from 204.152.64.0/23 to any in via tun0 $fwcmd add 130 deny log all from 224.0.0.0/3 to any in via tun0 $fwcmd add 131 count tcp from any to any via tun0 $fwcmd add 132 count udp from any to any 27000-28000 out via tun0=20 $fwcmd add 133 count tcp from any 1024-65535 to any 21 in via tun0 $fwcmd add 134 count tcp from any 20 to any 1024-65535 out via tun0=20 $fwcmd add 135 count tcp from any 49153-65535 to any 1024-65535 out via = tun0=20 $fwcmd add 136 count tcp from any to any 80 in via tun0=20 $fwcmd add 136 count tcp from any to any 80 out via tun0 $fwcmd add 140 pipe 1 tcp from any to any 22,1494 via tun0=20 $fwcmd add 141 pipe 2 udp from any to any 27000-28000 out via tun0 $fwcmd add 142 pipe 3 tcp from any to any in via tun0 $fwcmd add 143 pipe 4 tcp from any to any out via tun0=20 $fwcmd pipe 1 config bandwidth 0 queue 10Kbyte $fwcmd pipe 2 config bandwidth 0 queue 20Kbyte $fwcmd pipe 3 config bandwidth 728Kbit/s queue 50Kbyte $fwcmd pipe 4 config bandwidth 96Kbit/s queue 10Kbyte=20 $fwcmd add 149 divert natd ip from any to any via tun0=20 $fwcmd add 150 pass tcp from any to any in via tun0 established $fwcmd add 160 check-state $fwcmd add 200 pass icmp from any to any in via tun0 icmptypes 0,11 $fwcmd add 210 pass tcp from any to any 22 in via tun0 keep-state = tcpflags syn=20 $fwcmd add 220 pass tcp from any to any 80 in via tun0 keep-state = tcpflags syn=20 $fwcmd add 230 pass tcp from any to any 443 in via tun0 keep-state = tcpflags syn=20 $fwcmd add 240 pass tcp from any to any 21 in via tun0 keep-state = tcpflags syn $fwcmd add 250 pass tcp from any 1024-65535 to any 49153-65535 in via = tun0 keep-state tcpflags syn $fwcmd add 260 deny udp from any to 192.246.40.56 out via tun0=20 $fwcmd add 270 deny log tcp from any to any 6666-6669 out via tun0=20 $fwcmd add 280 pass tcp from any to any out via tun0 keep-state tcpflags = syn=20 $fwcmd add 290 pass udp from any to any out via tun0 keep-state=20 $fwcmd add 300 pass icmp from any to any out via tun0 keep-state=20 $fwcmd add 65530 deny log all from any to any=20 ------=_NextPart_000_0005_01C11AC5.4E979140 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi, I have the following ruleset build, = but it=20 still doesn't work without rule 150 and I have no idea = why...
I mean why the hell the packet can't = come back=20 although the dynamic rules are build.
And udp traffic is also denied = back in to my=20 clients
I set net.inet.ip.fw.one_pass=3D0 to = ensure that a=20 packet is not terminated by the pipe.
 
Or maybe somebody can help me to convert my existing IPF ruleset to = IPFW
I' would like to do this cause I need a traffic-shaper and under = freebsd=20 ALTQ doesn't work with the tun-device.
 
"/etc/ipf.rules"
block in  log all
block out log all
pass  in  = on lo0=20 all
pass  out on lo0 all
pass  in  on xl0 = all
pass =20 out on xl0 all
pass  in  on rl0 all
pass  out on = rl0=20 all 
block in  log quick on tun0 from 192.168.0.0/16 to=20 any
block in  log quick on tun0 from 172.16.0.0/12 to = any
block=20 in  log quick on tun0 from 10.0.0.0/8 to any
block in  log = quick on=20 tun0 from 127.0.0.0/8 to any
block in  log quick on tun0 from = 0.0.0.0/8=20 to any
block in  log quick on tun0 from 169.254.0.0/16 to = any
block=20 in  log quick on tun0 from 192.0.2.0/24 to any
block in  = log quick=20 on tun0 from 204.152.64.0/23 to any
block in  log quick on tun0 = from=20 224.0.0.0/3 to any
 
pass  in  quick on tun0 proto icmp from any to any = icmp-type=20 0
pass  in  quick on tun0 proto icmp from any to any = icmp-type=20 11
pass  in  quick on tun0 proto tcp from any to any port = =3D 22=20 flags S keep state keep frags
pass  in  quick on tun0 proto = tcp=20 from any to any port =3D 80 flags S keep state keep frags
pass  = in =20 quick on tun0 proto tcp from any to any port =3D 443 flags S keep state = keep=20 frags
pass  in  quick on tun0 proto tcp from any to any = port =3D 21=20 flags S keep state keep frags
pass  in  quick on tun0 proto = tcp=20 from any port > 1023 to any port 49152 >< 65535 flags S keep = state keep=20 frags
 
block out quick on tun0 proto udp from any to 192.246.40.56 =
block out=20 log quick on tun0 proto tcp from any to any port 6666 ><=20 6670
pass  out quick on tun0 proto tcp from any to any flags S = keep=20 state
pass  out quick on tun0 proto udp from any to any keep=20 state
pass  out quick on tun0 proto icmp from any to any keep=20 state
 
"/etc/natd.cf"
redirect_port udp 127.0.0.1:27952=20 192.246.40.56:27952
use_sockets yes
unregistered_only no =
interface=20 tun0
dynamic yes
same_ports yes
punch_fw 500:100
 
"/etc/ipfw.rules"
fwcmd=3D"/sbin/ipfw"
 
$fwcmd -f flush
$fwcmd add 20 pass = all from any=20 to any via lo0
$fwcmd add 30 pass all from any to any via = rl0
$fwcmd add=20 40 pass all from any to any via xl0
 
$fwcmd add 50 deny log all from = 192.168.0.0/16 to=20 any in via tun0
$fwcmd add 60 deny log all from 172.16.0.0/12 to any = in via=20 tun0
$fwcmd add 70 deny log all from 10.0.0.0/8 to any in via = tun0
$fwcmd=20 add 80 deny log all from 127.0.0.0/8 to any in via tun0
$fwcmd add 90 = deny=20 log all from 0.0.0.0/8 to any in via tun0
$fwcmd add 100 deny log all = from=20 169.254.0.0/16 to any in via tun0
$fwcmd add 110 deny log all from=20 192.0.2.0/24 to any in via tun0
$fwcmd add 120 deny log all from=20 204.152.64.0/23 to any in via tun0
$fwcmd add 130 deny log all from=20 224.0.0.0/3 to any in via tun0
 
$fwcmd add 131 count tcp from any to = any via=20 tun0
$fwcmd add 132 count udp from any to any 27000-28000 out via = tun0=20
$fwcmd add 133 count tcp from any 1024-65535 to any 21 in via = tun0
$fwcmd=20 add 134 count tcp from any 20 to any 1024-65535 out via tun0
$fwcmd = add 135=20 count tcp from any 49153-65535 to any 1024-65535 out via tun0
$fwcmd = add 136=20 count tcp from any to any 80 in via tun0
$fwcmd add 136 count tcp = from any=20 to any 80 out via tun0
 
$fwcmd add 140 pipe 1 tcp from any to = any 22,1494=20 via tun0
$fwcmd add 141 pipe 2 udp from any to any 27000-28000 out = via=20 tun0
$fwcmd add 142 pipe 3 tcp from any to any in via tun0
$fwcmd = add 143=20 pipe 4 tcp from any to any out via tun0
$fwcmd pipe 1 config = bandwidth 0=20 queue 10Kbyte
$fwcmd pipe 2 config bandwidth 0 queue = 20Kbyte
$fwcmd pipe 3=20 config bandwidth 728Kbit/s queue 50Kbyte
$fwcmd pipe 4 config = bandwidth=20 96Kbit/s queue 10Kbyte
 
$fwcmd add 149 divert natd ip from any = to any via=20 tun0
$fwcmd add 150 pass tcp from any to any in via tun0=20 established
$fwcmd add 160 check-state
 
$fwcmd add 200 pass icmp from any to = any in via=20 tun0 icmptypes 0,11
$fwcmd add 210 pass tcp from any to any 22 in via = tun0=20 keep-state tcpflags syn
$fwcmd add 220 pass tcp from any to any 80 = in via=20 tun0 keep-state tcpflags syn
$fwcmd add 230 pass tcp from any to any = 443 in=20 via tun0 keep-state tcpflags syn
$fwcmd add 240 pass tcp from any to = any 21=20 in via tun0 keep-state tcpflags syn
$fwcmd add 250 pass tcp from any=20 1024-65535 to any 49153-65535  in via tun0 keep-state tcpflags=20 syn
$fwcmd add 260 deny udp from any to 192.246.40.56 out via tun0 =
$fwcmd=20 add 270 deny log tcp from any to any 6666-6669 out via tun0
$fwcmd = add 280=20 pass tcp from any to any out via tun0 keep-state tcpflags syn
$fwcmd = add 290=20 pass udp from any to any out via tun0 keep-state
$fwcmd add 300 pass = icmp=20 from any to any out via tun0 keep-state
$fwcmd add 65530 deny log = all from=20 any to any
------=_NextPart_000_0005_01C11AC5.4E979140-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message