From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 20 10:37:59 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E86516A4CE for ; Sun, 20 Jun 2004 10:37:59 +0000 (GMT) Received: from btsoftware.com (213-84-82-9.adsl.xs4all.nl [213.84.82.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 9DDEF43D39 for ; Sun, 20 Jun 2004 10:37:57 +0000 (GMT) (envelope-from bts@iae.nl) Received: from viper.office (viper.office [192.168.0.1] ) by btsoftware.com (Hethmon Brothers Smtpd) ; Sun, 20 Jun 2004 12:35:25 +0200 Message-Id: <200406201235.2542777.6@btsoftware.com> From: "Martin" To: "quetzal@roks.biz" , "Robert Downes" Date: Sun, 20 Jun 2004 12:35:19 +0200 (CEST) Priority: Normal X-Mailer: PMMail 2.20.2382 for OS/2 Warp 4.5 In-Reply-To: <20040619075532.GA690@roks.biz> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit cc: "freebsd-ipfw@freebsd.org" Subject: Re: Blocked outbound traffic - what is it? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Martin List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Jun 2004 10:37:59 -0000 On Sat, 19 Jun 2004 10:55:32 +0300, quetzal@roks.biz wrote: This is my opinion to. Martin. >You dont need to worry about trojans. By logic of your rules, I think that >this packets are blocked becouse of the ending lifetime of some dynamic rules. >See net.inet.ip.fw.dyn_fin_lifetime and net.inet.ip.fw.dyn_rst_lifetime >in man ipfw(8) and you probably understand what i am talking about. >Also you can try tcpdump to trace what occurs during the final phase of tcp >session. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 21 07:19:14 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48F1816A4CE for ; Mon, 21 Jun 2004 07:19:14 +0000 (GMT) Received: from pd5mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 20B8643D41 for ; Mon, 21 Jun 2004 07:19:14 +0000 (GMT) (envelope-from sstahl@shaw.ca) Received: from pd4mr8so.prod.shaw.ca (pd4mr8so-qfe3.prod.shaw.ca [10.0.141.101]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0HZN00FHWD9RE6@l-daemon> for freebsd-ipfw@freebsd.org; Mon, 21 Jun 2004 01:10:39 -0600 (MDT) Received: from pn2ml4so.prod.shaw.ca ([10.0.121.148]) by pd4mr8so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0HZN002J0D9S81C0@pd4mr8so.prod.shaw.ca> for freebsd-ipfw@freebsd.org; Mon, 21 Jun 2004 01:10:40 -0600 (MDT) Received: from scott (S0106004005833f5a.ss.shawcable.net [24.78.99.46]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0HZN0042AD9N2A@l-daemon> for freebsd-ipfw@freebsd.org; Mon, 21 Jun 2004 01:10:39 -0600 (MDT) Date: Mon, 21 Jun 2004 01:10:41 -0600 From: Scott Stahl To: freebsd-ipfw@freebsd.org Message-id: <0HZN0042CD9R2A@l-daemon> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Mailer: Microsoft Outlook, Build 11.0.5207 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Thread-index: AcRXXtx8jiMY846sS8C7wo+Gpl5uuA== Subject: Ipfw.conf X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jun 2004 07:19:14 -0000 Hi all! What's a good IPFW.CONF to have for a production server that hosts HTTP, HTTPS, FTP, SSH, and also runs webmin through https? Thanks, Scott. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 21 11:02:33 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D377616A4CF for ; Mon, 21 Jun 2004 11:02:33 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CEA9043D1F for ; Mon, 21 Jun 2004 11:02:33 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i5LB2G3I065032 for ; Mon, 21 Jun 2004 11:02:16 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i5LB2G9P065026 for ipfw@freebsd.org; Mon, 21 Jun 2004 11:02:16 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 21 Jun 2004 11:02:16 GMT Message-Id: <200406211102.i5LB2G9P065026@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jun 2004 11:02:33 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2004/03/03] misc/63724 ipfw IPFW2 Queues dont t work o [2004/03/14] kern/64240 ipfw IPFW tee terminates rule processing 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/01/12] kern/61259 ipfw [patch] make "ipfw tee" work as intended o [2004/03/09] kern/63961 ipfw ipfw2 uid matching doesn't work correctly 12 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 22 04:43:10 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DE5516A4CE for ; Tue, 22 Jun 2004 04:43:10 +0000 (GMT) Received: from hammy.burditt.org (hammy.burditt.org [206.138.224.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id E340843D5D for ; Tue, 22 Jun 2004 04:43:09 +0000 (GMT) (envelope-from gordon@hammy.burditt.org) Received: from gordon by hammy.burditt.org with local (Exim 4.34 (FreeBSD)) id 1Bcd7k-0003KE-UM; Mon, 21 Jun 2004 23:43:08 -0500 To: freebsd-ipfw@freebsd.org Date: Mon, 21 Jun 2004 23:43:08 -0500 (CDT) X-Mailer: ELM [version 2.5 PL6] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: From: Gordon Burditt cc: gordon@burditt.org Subject: stateful firewall vs. closing TCP connections X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: gordon@burditt.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2004 04:43:10 -0000 I've been attempting to update my firewall rules. The old one worked OK with ipfw 1, but it didn't use a stateful firewall, and ipfw 2 allows some shortcuts and has more features that I might like to use. I'm using FreeBSD-4.9 with IPFW2. Yes, I've rebuilt everything with IPFW2=TRUE However, I've been running into a problem that the stateful firewall seems to be closing itself too quickly. It may not be causing observable errors, but my logs are full of junk for denied packets from LEGITIMATE connections. The objective here was to look at packets rejected under the new rules but not rejected under the old rules before actually denying them. Then I deny these and see only the port scans, probes, and other bad traffic in the logs. This set of rules actually is intended to run on both my gateway machine and my server machine on the local LAN (with the gateway having some extra rules to allow passthru), but I'm testing this on the server machine only. The server machine accepts a lot of http, smtp, and mysql connections from outside ("outside" here is any other machine, including my LAN), and initiates a number of outgoing smtp (outgoing mail and Exim callout verify) and mysql connections. There is no NAT in this setup (at least not when I first started working on this). All of the machines have public IPs. The LAN is 100baseTX and the outside connection is DSL. The old rules worked like this (in a section applicable to TCP only): 20100 allow tcp from any to any established ... 21000 skipto 60000 tcp from { MYSQL_CLIENT_1, MYSQL_CLIENT_2, MYSQL_CLIENT_3} to me 3306 setup 21010 skipto 60000 tcp from me to { MYSQL_SERVER_1, MYSQL_SERVER_2} 3306 setup ... 21700 skipto 60000 tcp from me to any http setup 21710 skipto 60000 tcp from any to me http setup ... 29999 deny log all from any to any 60000 allow all from any to any Now, this worked OK, but it's not stateful. So, for testing purposes, I changed it to this: 20099 check-state 20100 allow log tcp from any to any established 20110 allow log tcp from any to any not setup ... 21000 skipto 60000 tcp from { MYSQL_CLIENT_1, MYSQL_CLIENT_2, MYSQL_CLIENT_3} to me 3306 setup keep-state 21010 skipto 60000 tcp from me to { MYSQL_SERVER_1, MYSQL_SERVER_2} 3306 setup keep-state ... 21700 skipto 60000 tcp from me to any http setup keep-state 21710 skipto 60000 tcp from any to me http setup keep-state ... 29999 deny log all from any to any 60000 allow all from any to any The rules go through a preprocessor where things like MYSQL_SERVER_* and MYSQL_CLIENT_* get filled in with a real (and outside public) ip. There are a lot more rules to allow tcp setups in the full set of rules, ending in "... setup keep-state". Rule 20100 is not supposed to catch anything, as the established packets should be accepted by rule 20099. Rule 20110 only catches packets that are neither setup nor established (and probably malicious). I intend to change these rules to "deny log" (or just delete them and let rule 29999 handle it) after making sure doing this doesn't disrupt anything. So, what happens? I get the usual bunch of port scans in the log. BUT, I also get a lot of packets logged from LEGITIMATE connections by rule 20100, which I believe are coming at the tail end of the connection. This happens too often for me to believe it's due to retransmitted packets. Also, I can match up stuff in the ipfw logs against mail or Apache logs to see that a real connection came in. I cannot, however, match tcpdump output against log output: there is not enough detail in the logs to determine which packet from that particular server was logged. But it seems like it's the tail end of the connection. I tried setting net.inet.ip.fw.dyn_rst_lifetime and net.inet.ip.fw.dyn_fin_lifetime to 3 from 1. No change. Since 'log' doesn't log much of the packet details, I split rule 20100 into several rules with various combinations of tcpflags so I could use the rule number to figure out what the flags were. What seems to be happening is that the SERVER side (my host acts as both client and server at various times, and the symptoms seem to follow the role it's playing) sends a FIN-ACK or FIN packet and the CLIENT side sends back a RST. If I change rules 20100-20109 to "deny log", the server side sends two FIN-ACK packets and I don't get back the RST, so it seems the server is retrying the packet. I have not observed any actual problems with the transactions from denying the packet. But I'm not sure how many programs actually check for errors on close. Question: if one side of the connection is closed, does the stateful firewall close off both directions? Actually, I don't see why this should be a problem, especially with the lifetime set to 3 seconds, since I don't think a whole http transaction even takes 3 seconds. Is this normal behavior of a TCP connection? Is this a firewall bug? Is there a way I can avoid logging these, but log the real malicious stuff? What's the deal with rule 60000? At one point I was trying to deal with two outside connections, and packets FROM public netblock A had to go out interface de2 (using fwd) and packets FROM public netblock B had to go out tun0. That applies only to the gateway anyway. Gordon L. Burditt From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 22 07:26:04 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7789216A4CE for ; Tue, 22 Jun 2004 07:26:04 +0000 (GMT) Received: from mail.zvezda.number.ru (inet.zvezda.number.ru [213.247.132.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0B2B43D41 for ; Tue, 22 Jun 2004 07:26:03 +0000 (GMT) (envelope-from blacksir@number.ru) Received: from [213.247.175.19] (helo=blacksir) by mail.zvezda.number.ru with smtp (Exim) id 1BcffM-000Hk9-87 for ; Tue, 22 Jun 2004 11:26:00 +0400 From: "Alexander Vasenin aka BlackSir" To: "Freebsd-Ipfw@Freebsd. Org" Date: Tue, 22 Jun 2004 11:26:25 +0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Importance: Normal Subject: PR kern/60377 'ipfw tee' X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2004 07:26:04 -0000 The patch in subj PR works for me about 5 month on 6 servers(4.9R, 4.10R with IPFW2).(I've had a little problem, but it was my fault) Is there any plans to commit it to stable? Related PRs: 64240, 49959, 61259. Alexander Vasenin aka BlackSir From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 24 06:33:36 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FBF016A4CE for ; Thu, 24 Jun 2004 06:33:36 +0000 (GMT) Received: from ns.networkersbg.com (ns.networkersbg.com [80.72.80.243]) by mx1.FreeBSD.org (Postfix) with ESMTP id 105E543D3F for ; Thu, 24 Jun 2004 06:33:34 +0000 (GMT) (envelope-from evgeny@networkersbg.com) Received: from ns.networkersbg.com (localhost.networkersbg.com [127.0.0.1]) by ns.networkersbg.com (8.12.11/8.12.9) with ESMTP id i5O6aj1r000826 for ; Thu, 24 Jun 2004 09:36:45 +0300 (EEST) (envelope-from evgeny@networkersbg.com) From: Evgeny Ivanov Received: (from nobody@localhost) by ns.networkersbg.com (8.12.11/8.12.9/Submit) id i5O6adNV000825; Thu, 24 Jun 2004 09:36:39 +0300 (EEST) (envelope-from evgeny@networkersbg.com) Date: Thu, 24 Jun 2004 09:36:39 +0300 (EEST) Message-Id: <200406240636.i5O6adNV000825@ns.networkersbg.com> X-Authentication-Warning: ns.networkersbg.com: nobody set sender to evgeny@networkersbg.com using -f To: freebsd-ipfw@freebsd.org Received: from 212.116.151.30 (auth. user evgeny@ns.networkersbg.com) by mail.networkersbg.com with HTTP; Thu, 24 Jun 2004 06:36:39 +0000 X-IlohaMail-Blah: evgeny@networkersbg.com X-IlohaMail-Method: mail() [mem] X-IlohaMail-Dummy: moo X-Mailer: IlohaMail/0.8.12 (On: mail.networkersbg.com) Bounce-To: Errors-To: MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Content-Transfer-Encoding: quoted-printable Subject: tables in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 06:33:36 -0000 Hi again, :)) It may be very boring but after making wolrd to the latest 4.10 source, I still dont have the table option. I have recompiled the ipfw and libalias with ipfw2 support and kernel too. What I am doing wrong ?? From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 24 06:44:12 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78E0F16A4CE for ; Thu, 24 Jun 2004 06:44:12 +0000 (GMT) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8349D43D1F for ; Thu, 24 Jun 2004 06:44:11 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id i5O6na2I098391 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 24 Jun 2004 09:49:37 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.12.11/8.12.11) id i5O6hoQN062906; Thu, 24 Jun 2004 09:43:50 +0300 (EEST) (envelope-from ru) Date: Thu, 24 Jun 2004 09:43:50 +0300 From: Ruslan Ermilov To: Evgeny Ivanov Message-ID: <20040624064350.GA62743@ip.net.ua> Mail-Followup-To: ipfw@FreeBSD.org References: <200406240636.i5O6adNV000825@ns.networkersbg.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3MwIy2ne0vdjdPXF" Content-Disposition: inline In-Reply-To: <200406240636.i5O6adNV000825@ns.networkersbg.com> User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-ipfw@FreeBSD.org Subject: Re: tables in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 06:44:12 -0000 --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jun 24, 2004 at 09:36:39AM +0300, Evgeny Ivanov wrote: >=20 > Hi again, >=20 > :)) It may be very boring but after making wolrd to the latest 4.10 > source, I still dont have the table option. I have recompiled the ipfw > and libalias with ipfw2 support and kernel too. What I am doing wrong ?? >=20 1. Add ``IPFW2=3DYES'' in /etc/make.conf. 2. Recompile world (``make buildworld''). 3. Recompile kernel: if you want firewall built statically into your kernel, make sure to add ``options IPFW2'' into your kernel config. Otherwise, the ipfw.ko will be built with IPFW (due to IPFW2=3DYES in /etc/make.conf). Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --3MwIy2ne0vdjdPXF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA2ngmqRfpzJluFF4RAs/tAJ95PjCQ6JqSahbKwU3J0IpO9HoUeACgh2xY T4J+YIgJ0x1QjN1emt12wKQ= =odEE -----END PGP SIGNATURE----- --3MwIy2ne0vdjdPXF-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 24 07:09:45 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E766B16A4CE; Thu, 24 Jun 2004 07:09:45 +0000 (GMT) Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 921CB43D41; Thu, 24 Jun 2004 07:09:45 +0000 (GMT) (envelope-from nick@rogness.net) Received: from skywalker.rogness.net (localhost [127.0.0.1]) i5O79HLb006530; Thu, 24 Jun 2004 01:09:18 -0600 (MDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost)i5O79Etl006527; Thu, 24 Jun 2004 01:09:14 -0600 (MDT) (envelope-from nick@rogness.net) X-Authentication-Warning: skywalker.rogness.net: nick owned process doing -bs Date: Thu, 24 Jun 2004 01:09:14 -0600 (MDT) From: Nick Rogness To: Ruslan Ermilov In-Reply-To: <20040624064350.GA62743@ip.net.ua> Message-ID: <20040624010726.H5174@skywalker.rogness.net> References: <200406240636.i5O6adNV000825@ns.networkersbg.com> <20040624064350.GA62743@ip.net.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-ipfw@freebsd.org cc: Evgeny Ivanov Subject: Re: tables in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 07:09:46 -0000 On Thu, 24 Jun 2004, Ruslan Ermilov wrote: > On Thu, Jun 24, 2004 at 09:36:39AM +0300, Evgeny Ivanov wrote: >> >> Hi again, >> >> :)) It may be very boring but after making wolrd to the latest 4.10 >> source, I still dont have the table option. I have recompiled the ipfw >> and libalias with ipfw2 support and kernel too. What I am doing wrong >> ?? >> > 1. Add ``IPFW2=YES'' in /etc/make.conf. > 2. Recompile world (``make buildworld''). > 3. Recompile kernel: if you want firewall built statically into > your kernel, make sure to add ``options IPFW2'' into your > kernel config. Otherwise, the ipfw.ko will be built with > IPFW (due to IPFW2=YES in /etc/make.conf). > > Is there any reason why IPFW2 has not become the standard IPFW...still not stable enough or ??? IPFW2 is backwards compatible with IPFW is it not? Seems to work great for me :-) Nick Rogness - How many people here have telekenetic powers? Raise my hand. -Emo Philips From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 24 07:24:53 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 59A6D16A4CE for ; Thu, 24 Jun 2004 07:24:53 +0000 (GMT) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92DD443D45 for ; Thu, 24 Jun 2004 07:24:52 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id i5O7Up2t003578 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 24 Jun 2004 10:30:52 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.12.11/8.12.11) id i5O7P5Rt063566; Thu, 24 Jun 2004 10:25:05 +0300 (EEST) (envelope-from ru) Date: Thu, 24 Jun 2004 10:25:05 +0300 From: Ruslan Ermilov To: Nick Rogness Message-ID: <20040624072505.GA63534@ip.net.ua> References: <200406240636.i5O6adNV000825@ns.networkersbg.com> <20040624064350.GA62743@ip.net.ua> <20040624010726.H5174@skywalker.rogness.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9" Content-Disposition: inline In-Reply-To: <20040624010726.H5174@skywalker.rogness.net> User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-ipfw@freebsd.org cc: Evgeny Ivanov Subject: Re: tables in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 07:24:53 -0000 --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jun 24, 2004 at 01:09:14AM -0600, Nick Rogness wrote: > Is there any reason why IPFW2 has not become the standard > IPFW...still not stable enough or ??? IPFW2 is backwards > compatible with IPFW is it not? >=20 It's standard in 5.x. Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --PEIAKu/WMn1b1Hv9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA2oHRqRfpzJluFF4RAq4PAKCPM1kHWD5vFfsZg/cPVVGL3BzmTwCcCo24 J4oE+j8ysSVPV7JzGzUoRbY= =paLY -----END PGP SIGNATURE----- --PEIAKu/WMn1b1Hv9-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 24 07:40:45 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 98B1116A4CE; Thu, 24 Jun 2004 07:40:45 +0000 (GMT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 782BC43D49; Thu, 24 Jun 2004 07:40:45 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i5O7eggd062938; Thu, 24 Jun 2004 00:40:42 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i5O7eeH0062937; Thu, 24 Jun 2004 00:40:40 -0700 (PDT) (envelope-from rizzo) Date: Thu, 24 Jun 2004 00:40:39 -0700 From: Luigi Rizzo To: Nick Rogness Message-ID: <20040624004039.A62893@xorpc.icir.org> References: <200406240636.i5O6adNV000825@ns.networkersbg.com> <20040624064350.GA62743@ip.net.ua> <20040624010726.H5174@skywalker.rogness.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20040624010726.H5174@skywalker.rogness.net>; from nick@rogness.net on Thu, Jun 24, 2004 at 01:09:14AM -0600 cc: freebsd-ipfw@freebsd.org cc: Evgeny Ivanov Subject: Re: tables in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 07:40:45 -0000 On Thu, Jun 24, 2004 at 01:09:14AM -0600, Nick Rogness wrote: ... > Is there any reason why IPFW2 has not become the standard > IPFW...still not stable enough or ??? IPFW2 is backwards > compatible with IPFW is it not? at the time people wanted to check it for a while to make sure there weren't issues. I guess that given the option, this satisfied both worlds, so nobody cared to change the standard (the only reason for doing that would be remove ipfw1 at the next time there is a system change that would require an ipfw1 patch). cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 24 09:26:34 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C994F16A4CE; Thu, 24 Jun 2004 09:26:34 +0000 (GMT) Received: from ns.networkersbg.com (ns.networkersbg.com [80.72.80.243]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9CC343D5F; Thu, 24 Jun 2004 09:26:28 +0000 (GMT) (envelope-from evgeny@networkersbg.com) Received: from ns.networkersbg.com (localhost.networkersbg.com [127.0.0.1]) by ns.networkersbg.com (8.12.11/8.12.9) with ESMTP id i5O9TSnS000461; Thu, 24 Jun 2004 12:29:29 +0300 (EEST) (envelope-from evgeny@networkersbg.com) From: Evgeny Ivanov Received: (from nobody@localhost) by ns.networkersbg.com (8.12.11/8.12.9/Submit) id i5O9TDBD000460; Thu, 24 Jun 2004 12:29:13 +0300 (EEST) (envelope-from evgeny@networkersbg.com) Date: Thu, 24 Jun 2004 12:29:13 +0300 (EEST) Message-Id: <200406240929.i5O9TDBD000460@ns.networkersbg.com> X-Authentication-Warning: ns.networkersbg.com: nobody set sender to evgeny@networkersbg.com using -f To: rizzo@icir.org, nick@rogness.net Received: from 212.116.151.30 (auth. user evgeny@ns.networkersbg.com) by mail.networkersbg.com with HTTP; Thu, 24 Jun 2004 09:29:13 +0000 X-IlohaMail-Blah: evgeny@networkersbg.com X-IlohaMail-Method: mail() [mem] X-IlohaMail-Dummy: moo X-Mailer: IlohaMail/0.8.12 (On: mail.networkersbg.com) In-Reply-To: <20040624004039.A62893@xorpc.icir.org> Bounce-To: Errors-To: MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Content-Transfer-Encoding: quoted-printable cc: "freebsd-ipfw@freebsd.org" Subject: Re: tables in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 09:26:34 -0000 So you mean that it is only in 5.x branch. Is there a patch for 4.10 RELENG ? Regards Evgeny On 6/24/2004, "Luigi Rizzo" wrote: >On Thu, Jun 24, 2004 at 01:09:14AM -0600, Nick Rogness wrote: >.... >> =09Is there any reason why IPFW2 has not become the standard >> =09IPFW...still not stable enough or ??? IPFW2 is backwards >> =09compatible with IPFW is it not? > >at the time people wanted to check it for a while to make >sure there weren't issues. I guess that given the option, >this satisfied both worlds, so nobody cared to change >the standard (the only reason for doing that would be >remove ipfw1 at the next time there is a system change >that would require an ipfw1 patch). > >=09cheers >=09luigi > > From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 24 10:37:23 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A91516A4CF for ; Thu, 24 Jun 2004 10:37:23 +0000 (GMT) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF71B43D1D for ; Thu, 24 Jun 2004 10:37:21 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id i5OAh308031390 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 24 Jun 2004 13:43:05 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.12.11/8.12.11) id i5OAbGkl064974; Thu, 24 Jun 2004 13:37:16 +0300 (EEST) (envelope-from ru) Date: Thu, 24 Jun 2004 13:37:16 +0300 From: Ruslan Ermilov To: Evgeny Ivanov Message-ID: <20040624103716.GA64935@ip.net.ua> References: <20040624004039.A62893@xorpc.icir.org> <200406240929.i5O9TDBD000460@ns.networkersbg.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf" Content-Disposition: inline In-Reply-To: <200406240929.i5O9TDBD000460@ns.networkersbg.com> User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: rizzo@icir.org cc: "freebsd-ipfw@freebsd.org" Subject: Re: tables in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 10:37:23 -0000 --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jun 24, 2004 at 12:29:13PM +0300, Evgeny Ivanov wrote: >=20 > So you mean that it is only in 5.x branch. > Is there a patch for 4.10 RELENG ? >=20 No, it's just not getting built by default in 4.x. In 4.x, you need IPFW2=3DYES in /etc/make.conf, and possibly ``options IPFW2'' instead of ``options IPFIREWALL'' in your kernel config file. Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA2q7cqRfpzJluFF4RAgGRAJ4guCT4mB/KWPU7mFdEHjMNMNm6dQCeNQc/ PRpl++1P38Ybggzg82hW9Do= =Eipz -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 24 12:32:43 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C1F116A4CE; Thu, 24 Jun 2004 12:32:43 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E02F43D2D; Thu, 24 Jun 2004 12:32:43 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 1AD8B5F104; Thu, 24 Jun 2004 14:07:26 +0200 (CEST) Date: Thu, 24 Jun 2004 14:07:25 +0200 From: Pawel Malachowski To: Ruslan Ermilov Message-ID: <20040624120725.GA84753@shellma.zin.lublin.pl> References: <20040624004039.A62893@xorpc.icir.org> <200406240929.i5O9TDBD000460@ns.networkersbg.com> <20040624103716.GA64935@ip.net.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20040624103716.GA64935@ip.net.ua> User-Agent: Mutt/1.4.2i cc: "freebsd-ipfw@freebsd.org" Subject: Re: tables in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 12:32:43 -0000 On Thu, Jun 24, 2004 at 01:37:16PM +0300, Ruslan Ermilov wrote: Hello, > > So you mean that it is only in 5.x branch. > > Is there a patch for 4.10 RELENG ? > > > No, it's just not getting built by default in 4.x. > In 4.x, you need IPFW2=YES in /etc/make.conf, and > possibly ``options IPFW2'' instead of ``options > IPFIREWALL'' in your kernel config file. It would be handy to have IPFW2 built by default in RELENG_4 and IPFW2-aware ipfw.ko, dummynet.ko, ipfw(8) etc. in future 4.11-RELEASE CD, out of the box. -- Paweł Małachowski From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 24 14:50:46 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77BF116A4CE; Thu, 24 Jun 2004 14:50:46 +0000 (GMT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D35D43D54; Thu, 24 Jun 2004 14:50:46 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i5OEo7gd066205; Thu, 24 Jun 2004 07:50:07 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i5OEo754066204; Thu, 24 Jun 2004 07:50:07 -0700 (PDT) (envelope-from rizzo) Date: Thu, 24 Jun 2004 07:50:07 -0700 From: Luigi Rizzo To: Pawel Malachowski Message-ID: <20040624075007.A66175@xorpc.icir.org> References: <20040624004039.A62893@xorpc.icir.org> <200406240929.i5O9TDBD000460@ns.networkersbg.com> <20040624103716.GA64935@ip.net.ua> <20040624120725.GA84753@shellma.zin.lublin.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20040624120725.GA84753@shellma.zin.lublin.pl>; 02:07:25PM +0200 cc: "freebsd-ipfw@freebsd.org" Subject: Re: tables in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 14:50:46 -0000 On Thu, Jun 24, 2004 at 02:07:25PM +0200, Pawel Malachowski wrote: > On Thu, Jun 24, 2004 at 01:37:16PM +0300, Ruslan Ermilov wrote: > > Hello, > > > > So you mean that it is only in 5.x branch. > > > Is there a patch for 4.10 RELENG ? > > > > > No, it's just not getting built by default in 4.x. > > In 4.x, you need IPFW2=YES in /etc/make.conf, and > > possibly ``options IPFW2'' instead of ``options > > IPFIREWALL'' in your kernel config file. it is "in addition to", not "instead of" cheers luigi > It would be handy to have IPFW2 built by default in RELENG_4 and > IPFW2-aware ipfw.ko, dummynet.ko, ipfw(8) etc. in future 4.11-RELEASE CD, > out of the box. > > > -- > Pawel Malachowski > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 24 15:02:22 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E75016A4DD for ; Thu, 24 Jun 2004 15:02:22 +0000 (GMT) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DFEC43D2D for ; Thu, 24 Jun 2004 15:02:21 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id i5OF7sTo047864 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 24 Jun 2004 18:07:55 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.12.11/8.12.11) id i5OF27JM066625; Thu, 24 Jun 2004 18:02:07 +0300 (EEST) (envelope-from ru) Date: Thu, 24 Jun 2004 18:02:01 +0300 From: Ruslan Ermilov To: Luigi Rizzo Message-ID: <20040624150201.GA66542@ip.net.ua> References: <20040624004039.A62893@xorpc.icir.org> <200406240929.i5O9TDBD000460@ns.networkersbg.com> <20040624103716.GA64935@ip.net.ua> <20040624120725.GA84753@shellma.zin.lublin.pl> <20040624075007.A66175@xorpc.icir.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3V7upXqbjpZ4EhLz" Content-Disposition: inline In-Reply-To: <20040624075007.A66175@xorpc.icir.org> User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: ipfw@FreeBSD.org Subject: Re: tables in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 15:02:22 -0000 --3V7upXqbjpZ4EhLz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jun 24, 2004 at 07:50:07AM -0700, Luigi Rizzo wrote: > On Thu, Jun 24, 2004 at 02:07:25PM +0200, Pawel Malachowski wrote: > > On Thu, Jun 24, 2004 at 01:37:16PM +0300, Ruslan Ermilov wrote: > >=20 > > Hello, > >=20 > > > > So you mean that it is only in 5.x branch. > > > > Is there a patch for 4.10 RELENG ? > > > >=20 > > > No, it's just not getting built by default in 4.x. > > > In 4.x, you need IPFW2=3DYES in /etc/make.conf, and > > > possibly ``options IPFW2'' instead of ``options > > > IPFIREWALL'' in your kernel config file. >=20 > it is "in addition to", not "instead of" >=20 I have it "instead of" in my kernel configs, and nothing appears to be broken. I mean, no code checks for the IPFIREWALL #define, and otherwise compiling empty ip_fw.o (when both IPFIREWALL and IPFW2 are defined) into the kernel seems pointless to me. Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --3V7upXqbjpZ4EhLz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA2uzpqRfpzJluFF4RAuqmAJ9vKu31fqgA0m1VarL0gkD3OCPRZQCgkCMs yn1stvBl7it0HsEK4/5y8rs= =q346 -----END PGP SIGNATURE----- --3V7upXqbjpZ4EhLz-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 24 15:47:46 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECA8E16A4CE; Thu, 24 Jun 2004 15:47:46 +0000 (GMT) Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8AE7B43D46; Thu, 24 Jun 2004 15:47:46 +0000 (GMT) (envelope-from nick@rogness.net) Received: from skywalker.rogness.net (localhost [127.0.0.1]) i5OFl0Lb010319; Thu, 24 Jun 2004 09:47:00 -0600 (MDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost)i5OFkvjg010316; Thu, 24 Jun 2004 09:46:57 -0600 (MDT) (envelope-from nick@rogness.net) X-Authentication-Warning: skywalker.rogness.net: nick owned process doing -bs Date: Thu, 24 Jun 2004 09:46:57 -0600 (MDT) From: Nick Rogness To: Ruslan Ermilov In-Reply-To: <20040624072505.GA63534@ip.net.ua> Message-ID: <20040624094625.I10310@skywalker.rogness.net> References: <200406240636.i5O6adNV000825@ns.networkersbg.com> <20040624010726.H5174@skywalker.rogness.net> <20040624072505.GA63534@ip.net.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-ipfw@freebsd.org cc: Evgeny Ivanov Subject: Re: tables in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 15:47:47 -0000 On Thu, 24 Jun 2004, Ruslan Ermilov wrote: > On Thu, Jun 24, 2004 at 01:09:14AM -0600, Nick Rogness wrote: >> Is there any reason why IPFW2 has not become the standard >> IPFW...still not stable enough or ??? IPFW2 is backwards >> compatible with IPFW is it not? >> > It's standard in 5.x. Sorry, I was referring to the 4.10 RELEASE and 4-STABLE. Nick Rogness - How many people here have telekenetic powers? Raise my hand. -Emo Philips From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 26 08:58:54 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D4A516A4CE for ; Sat, 26 Jun 2004 08:58:54 +0000 (GMT) Received: from web53704.mail.yahoo.com (web53704.mail.yahoo.com [206.190.37.25]) by mx1.FreeBSD.org (Postfix) with SMTP id 05C3A43D31 for ; Sat, 26 Jun 2004 08:58:54 +0000 (GMT) (envelope-from arisdr_99@yahoo.com) Message-ID: <20040626085820.36614.qmail@web53704.mail.yahoo.com> Received: from [152.118.24.3] by web53704.mail.yahoo.com via HTTP; Sat, 26 Jun 2004 09:58:20 BST Date: Sat, 26 Jun 2004 09:58:20 +0100 (BST) From: =?iso-8859-1?q?Aris=20Dwi=20Rahmana?= To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: ipfw2 support for ipv6 multicast? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jun 2004 08:58:54 -0000 hi, i want to ask, wheater ipfw2 support for ipv6 multicast or not?, I got a message "IPFW2: IPV6 Unknown Extension Header (103) when running pim6sd. is it a bug or ipfw2 doesnot support MLD6 packet header (icmp6 header + address header) ? please response asap thank u for advance ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html