From owner-freebsd-net@freebsd.org Wed Sep 16 15:06:01 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4A6399CE052; Wed, 16 Sep 2015 15:06:01 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8CFD71E7B; Wed, 16 Sep 2015 15:05:59 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t8GF5obW092775; Thu, 17 Sep 2015 01:05:50 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 17 Sep 2015 01:05:50 +1000 (EST) From: Ian Smith To: Warren Block cc: "O. Hartmann" , Kimmo Paasiala , freebsd-net@freebsd.org, Lev Serebryakov , freebsd-ipfw@freebsd.org Subject: Re: HELP! Mysterious socket 843/tcp listening on CURRENT system In-Reply-To: Message-ID: <20150916235555.F82084@sola.nimnet.asn.au> References: <20150915090658.1e0b9074@freyja.zeit4.iv.bundesimmobilien.de> <20150915094757.3daef42c@freyja.zeit4.iv.bundesimmobilien.de> <20150915201451.L90924@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Sep 2015 15:06:01 -0000 On Tue, 15 Sep 2015 07:51:11 -0600 (MDT), Warren Block wrote: > On Tue, 15 Sep 2015, Ian Smith wrote: > O. Hartmann wrote: > > > But that is an other issue and it is most likely > > > due to the outdated documentation (that doc still uses port 37 for NTP > > > purposes and referes to the outdated divert mechanism using natd, see the > > > recent handbook). The internet is also full of ambigous examples. > > > > Yes, the handbook IPFW section is still crazy after all these years, > > despite ongoing attempts to limit the damage. Best just ignore it. > > Best overall would be to fix the documentation. Oh, absolutely. But it can't be me, for reasons I'll mail you about. I've become reluctant to talk about what I can't fix, but when I see people in trouble due to that section, I'm compelled to so advise. > Given that there seems to be more interest in IPFW lately, it would > be nice if someone well-versed in it would repair or even rewrite the > IPFW handbook section. Rewrites are sometimes less work than fixing > an old section that no longer fits actual usage. Exactly the conclusion I'd come to after an effort last October to correct some of the more egregious errors, including the one Oliver mentions above and quite a lot else. In reviewing that today, I see I got some things wrong myself :) but I'll send it to you anyway. It's nothing more than a start, and only saved-as text, not in doc markup. > I have not used IPFW in years, but would be willing to help with an > edit/rewrite. Well if you're prepared to coordinate efforts, I'll certainly review and contribute as best I can. There was another offer in ipfw@ to assist in a rewrite recently. If you're up for it, I'll shunt that your way too? I've a feeling that the best way to do a lot of this would be by brief sections that mostly just pointed to sections of (online) ipfw(8); e.g. even the basic description is best covered by ipfw(8)'s /DESCRIPTION .. so a good index into that with some extra pointers and tips might work. But we really need some good examples of ipfw + nat with stateful rules that actually work properly. I found one saved good(-looking :) ruleset from 2012 with the sort of multiple interfaces and subnets Oliver needs, by Lev Serebryakov , who's more recently been working on adding new rules to better handle timing/placement of state checking including in NAT scenarios, who I poke occasionally - like now - to provide some worked examples :) I think freebsd-ipfw@ may be a better place to take this now .. cc'd. cheers, Ian