From owner-freebsd-ipfw Fri Apr 6 2:41:18 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtp2.vol.cz (smtp2.vol.cz [195.250.128.42]) by hub.freebsd.org (Postfix) with ESMTP id 7DF8737B424 for ; Fri, 6 Apr 2001 02:41:15 -0700 (PDT) (envelope-from michal.kutnohorsky@asp1000.com) Received: from server.asp1000.cz (mail.asp1000.cz [212.27.223.156]) by smtp2.vol.cz (8.11.1/8.11.1) with ESMTP id f369f7s41082 for ; Fri, 6 Apr 2001 11:41:08 +0200 (CEST) Received: by server.asp1000.cz with Internet Mail Service (5.5.2650.21) id ; Fri, 6 Apr 2001 11:38:14 +0200 Message-ID: <381F2A6B1CC4C449B19CA48BA7A2A87B0E1DB8@server.asp1000.cz> From: michal.kutnohorsky@asp1000.com To: freebsd-ipfw@freebsd.org Subject: ipfw logging isnt enable during booting Date: Fri, 6 Apr 2001 11:38:03 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-2" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG hi, i have problem with ipfw. I recompiled kernel with IPFIREWALL_VERBOSE and IPDIVERT in rc.conf i enable this: gateway_enable="YES" natd_enable="YES" ---- //i run natd with -interface xl0 firewall_enable="YES" after rebooting system i found this in dmesg ip packet filtering initialized, divert enabled, rule-base forwarding disabled, defalut to deny, logging disabled. and on console it wrote error message: "ipfw_ctl bad command" - or somethig like this firwall is working natd too but as you can see logging is disabled but shoud be enable if the kernel is recompiled with IPFIREWALL_VERBOSE when i enable logging by command net.inet.ip.fw.verbose=1 its working should i use some patch or its fault of configuration? thanx for help michal x--------------------------x |-- Michal Kutnohorsky -- | |-- michalk@asp1000.com -- | |-- icq 24864416 -- | | \_/ -- dej si taky -- | x--------------------------x To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Apr 7 12:31:27 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.tgd.net (rand.tgd.net [64.81.67.117]) by hub.freebsd.org (Postfix) with SMTP id E5D8E37B424 for ; Sat, 7 Apr 2001 12:31:24 -0700 (PDT) (envelope-from sean@mailhost.tgd.net) Received: (qmail 18962 invoked by uid 1001); 7 Apr 2001 19:31:20 -0000 Date: Sat, 7 Apr 2001 12:31:20 -0700 From: Sean Chittenden To: michal.kutnohorsky@asp1000.com Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw logging isnt enable during booting Message-ID: <20010407123120.B85113@rand.tgd.net> References: <381F2A6B1CC4C449B19CA48BA7A2A87B0E1DB8@server.asp1000.cz> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="m51xatjYGsM+13rf" Content-Disposition: inline In-Reply-To: <381F2A6B1CC4C449B19CA48BA7A2A87B0E1DB8@server.asp1000.cz>; from "michal.kutnohorsky@asp1000.com" on Fri, Apr 06, 2001 at = 11:38:03AM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --m51xatjYGsM+13rf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > after rebooting system i found this in dmesg > ip packet filtering initialized, divert enabled, rule-base forwarding > disabled, defalut to deny, logging disabled. >=20 > and on console it wrote error message: "ipfw_ctl bad command" - or someth= ig > like this Hmm.... sounds like a type-o in your /etc/rc.firewall. > firwall is working natd too >=20 > but as you can see logging is disabled but shoud be enable if the kernel = is > recompiled with IPFIREWALL_VERBOSE options IPFIREWALL # firewall options IPFIREWALL_VERBOSE # print info about dropped packets options IPFIREWALL_VERBOSE_LIMIT=3D1000 > when i enable logging by command net.inet.ip.fw.verbose=3D1 its working >=20 > should i use some patch or its fault of configuration? Configuration. Here are some entries out of /etc/defaults/rc.conf. Try firewall_logging=3D"YES" and rebooting. ### Basic network and firewall/security options: ### firewall_enable=3D"NO" # Set to YES to enable firewall functiona= lity firewall_script=3D"/etc/rc.firewall" # Which script to run to set up the fi= rewall firewall_type=3D"UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_quiet=3D"NO" # Set to YES to suppress rule display firewall_logging=3D"NO" # Set to YES to enable events logging firewall_flags=3D"" # Flags passed to ipfw when type is a file --=20 Sean Chittenden --m51xatjYGsM+13rf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjrPawgACgkQn09c7x7d+q2yTwCfXk9OCkD16ZeysBkzm08UYVS4 KpQAn2h6XOPPZEA4ubSPFCYZDi1rFiiT =gpfT -----END PGP SIGNATURE----- --m51xatjYGsM+13rf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Apr 7 22:11:12 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from rgmail.regenstrief.org (rgmail.regenstrief.org [134.68.31.197]) by hub.freebsd.org (Postfix) with ESMTP id EC05937B422; Sat, 7 Apr 2001 22:11:03 -0700 (PDT) (envelope-from gunther@aurora.regenstrief.org) Received: from aurora.regenstrief.org (aurora.rg.iupui.edu [134.68.31.122]) by rgmail.regenstrief.org (8.11.0/8.8.7) with ESMTP id f385CeA23539; Sun, 8 Apr 2001 00:12:41 -0500 Message-ID: <3ACFF2D6.13219EAB@aurora.regenstrief.org> Date: Sun, 08 Apr 2001 05:10:46 +0000 From: Gunther Schadow Organization: Regenstrief Institute for Health Care X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: snap-users@kame.net Cc: users@ipv6.org, net@freebsd.org, ipfw@freebsd.org Subject: Consolidating KAME SPD rules and IPFW / IPfilter. References: <3ACD6099.471BE93A@aurora.regenstrief.org> <20010406201920R.sakane@ydc.co.jp> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, Itojun says this has been discussed before and that the solution is almost ready to go. I can take some time of my dayjob work to help this, which is why I want to know exactly the status and direction. This is my proposal, not knowing what folks at Kame and FreeBSD have been cooking: > [VPN application] In practice I will almost always end up combining > IPFW and IPsec in my security solutions with *BSD/kame. And I find > it kind of odd that IPFW and IPsec shouldn't work together better > than they do now. [...] > > I think that the separate IPsec policy management in setkey is > somewhat superflous. It could all very well be handled by IPFW > rules such as something like this: > > ipfw add 1000 divert ipsecd 1010 all from to out > > ipfw add 1001 divert ipsecd 1020 50 from to in > ipfw add 1001 divert ipsecd 1022 51 from to in > > this means, an IPsec daemon (ipsecd) would listen on a divert > socket (like natd does) and do its thing on the packets. I > understand that the SPD contains more data, and that's what > my numbers 1010, 1020, 1022 would refer to (an SPD identifier). > The SPD would now simply contain the parameters of the IPsec mode > (ESP vs. AH, transport vs. tunnel, tunnel endpoints, etc.) but not > the matching rule stuff. I think that ipfw does a pretty good job > with the matching rules, so why doing the same thing in two places? Itojun wrote in response: > this is the tricky part. IPsec policy and ipfw/ipfilter/divert/ > whatever is doing almost the same thing, and conflict in very difficult > ways. I'm trying to improve NetBSD situation, as shown in > http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction. > NetBSD 1.5.1/1.6 should be a lot better than before. > > for FreeBSD, there was a discussion on one of FreeBSD mailing lists. > not sure the particular change got committed to the FreeBSD tree or not. > > the ultimate solution would be to integrate packet filter and ipsec > policy engine into one, there's an ongoing effort on that direction. And obviously I fully agree. But the problem for the Kame folks seems to be that the *BSD are disparate and moving targets for consolidating packet filtering and IPsec policy management. Shoichi Sakane wrote: > [...] I am not sure all *bsd have same method to hook a ip packet. > Do all *bsd have ipfw in this case ? I know IPFilter is implemented > to FreeBSD, NetBSD and OpenBSD. But it cannot handle a ipv6 packet > accurately. > > I like to use a general useful pakcet filter function in order to process > IPSec if it is implemented to all *bsd. And he also mentions: > First, KAME IPSec stack is not friendly with NAT. We don't live in NAT > environment, so we haven't ever considered about being with NAT. > If you want to use NAT with IPSec, you have to consider the changing IP > address in IP packet and the processing order. To which I can only say that in IPv4 world and VPN, NAT is almost mandatory. For me, using NAT allows me to set up VPN specific routing for my special project within a corporate network without bothering the network administrator with using FreeBSD instead of their Cisco stuff for routing. FreeBSD/KAME needs NAT for allowing it to being used in production environments today. NAT comes with IPFW, which is where the circle closes. I would prefer combining IPsec policy with IPFW rather than IPfilter. But I may not have the full scoop about IPfilter. What's FreeBSD's direction? I would also rather see one way, IPFW or IPfilter being mainstream on FreeBSD and NetBSD (for very selfish reasons, i.e., once I need to deploy my stuff on a StrongARM board, I must switch to NetBSD.) I like IPFW a lot and my understanding is that it can do more than IPfilter, but I may be wrong? I am tempted to "outsource" the IPsec functionality away from the kernel using a demon on a divert socket, just like NATD. This would be more modular and keeps the kernel from panicing because of bugs in IPsec -- I did have embarrassing kernel crashes, just when I bragged about FreeBSD running rock solid :0(. I have read about pipsecd, but would like to stand by the excellent work of the Kame people. regards -Gunther -- Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org Medical Information Scientist Regenstrief Institute for Health Care Adjunct Assistent Professor Indiana University School of Medicine tel:1(317)630-7960 http://aurora.regenstrief.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message