From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 6 03:41:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2ADB637B401 for ; Sun, 6 Jul 2003 03:41:26 -0700 (PDT) Received: from mout2.freenet.de (mout2.freenet.de [194.97.50.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id D835243FBF for ; Sun, 6 Jul 2003 03:41:24 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.55.148] (helo=mx5.freenet.de) by mout2.freenet.de with asmtp (Exim 4.20) id 19Z6xP-0007fw-Ez for ipfw@FreeBSD.org; Sun, 06 Jul 2003 12:41:23 +0200 Received: from p3e9baaef.dip.t-dialin.net ([62.155.170.239] helo=spotteswoode.dnsalias.org) by mx5.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.20 #1) id 19Z6xP-0007MV-AW for ipfw@FreeBSD.org; Sun, 06 Jul 2003 12:41:23 +0200 Received: (qmail 46786 invoked by uid 0); 6 Jul 2003 10:41:21 -0000 Date: 6 Jul 2003 12:41:21 +0200 Message-ID: From: "clemens fischer" To: ipfw@FreeBSD.org User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: ipfw1 <-> ipfw2 compatibility? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2003 10:41:26 -0000 with a working set of ipfw1 rules and the desire to test ipfw2, can i be sure the ipfw1 ruleset will work unmodified with ipfw2 enabled? i have synced both the kernel sources and userland using cvsup(1) today and rebuilding world. clemens From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 6 07:02:18 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CEFA937B401 for ; Sun, 6 Jul 2003 07:02:18 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5EEEB43FD7 for ; Sun, 6 Jul 2003 07:02:18 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h66E2IkN018672; Sun, 6 Jul 2003 07:02:18 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h66E2H2H018671; Sun, 6 Jul 2003 07:02:17 -0700 (PDT) (envelope-from rizzo) Date: Sun, 6 Jul 2003 07:02:17 -0700 From: Luigi Rizzo To: clemens fischer Message-ID: <20030706070217.A17595@xorpc.icir.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from ino-qc@spotteswoode.de.eu.org on Sun, Jul 06, 2003 at 12:41:21PM +0200 cc: ipfw@freebsd.org Subject: Re: ipfw1 <-> ipfw2 compatibility? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2003 14:02:19 -0000 On Sun, Jul 06, 2003 at 12:41:21PM +0200, clemens fischer wrote: > with a working set of ipfw1 rules and the desire to test ipfw2, can i > be sure the ipfw1 ruleset will work unmodified with ipfw2 enabled? i It depends a lot on which rules you use. You should really read the ipfw manpage in the section detailing the differences between the two. There are ipfw1 bugs that ipfw2 has fixed, and possibly different bugs in ipfw2 that do not exist in ipfw1. cheers luigi > have synced both the kernel sources and userland using cvsup(1) today > and rebuilding world. > > clemens > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 6 18:13:28 2003 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 598E437B401; Sun, 6 Jul 2003 18:13:28 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA4D943FBD; Sun, 6 Jul 2003 18:13:27 -0700 (PDT) (envelope-from luigi@FreeBSD.org) Received: from freefall.freebsd.org (luigi@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h671DRUp082714; Sun, 6 Jul 2003 18:13:27 -0700 (PDT) (envelope-from luigi@freefall.freebsd.org) Received: (from luigi@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h671DPeG082710; Sun, 6 Jul 2003 18:13:25 -0700 (PDT) Date: Sun, 6 Jul 2003 18:13:25 -0700 (PDT) From: Luigi Rizzo Message-Id: <200307070113.h671DPeG082710@freefall.freebsd.org> To: ari.suutari@syncrontech.com, luigi@FreeBSD.org, freebsd-ipfw@FreeBSD.org Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jul 2003 01:13:28 -0000 Synopsis: patches for ipfw2 to support ipsec packet filtering State-Changed-From-To: open->closed State-Changed-By: luigi State-Changed-When: Sun Jul 6 18:13:14 PDT 2003 State-Changed-Why: committed, thanks http://www.freebsd.org/cgi/query-pr.cgi?pr=53624 From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 6 19:28:16 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0F2237B405 for ; Sun, 6 Jul 2003 19:28:16 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id BE0CF43FBD for ; Sun, 6 Jul 2003 19:28:13 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 43441 invoked from network); 7 Jul 2003 02:28:12 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 7 Jul 2003 02:28:12 -0000 Message-ID: <3F08DABB.2020509@tenebras.com> Date: Sun, 06 Jul 2003 19:28:11 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Luigi Rizzo References: <200307070113.h671DPeG082710@freefall.freebsd.org> In-Reply-To: <200307070113.h671DPeG082710@freefall.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@FreeBSD.org cc: ari.suutari@syncrontech.com Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jul 2003 02:28:17 -0000 Luigi Rizzo wrote: > Synopsis: patches for ipfw2 to support ipsec packet filtering > > State-Changed-From-To: open->closed > State-Changed-By: luigi > State-Changed-When: Sun Jul 6 18:13:14 PDT 2003 > State-Changed-Why: > committed, thanks Question: How does this interact with Sam Leffler's FAST_IPSEC ? That is, may we instead of options IPFIREWALL options IPSEC options IPSEC_ESP options IPSEC_FILTERGIF do this options IPFIREWALL options FAST_IPSEC options IPSEC_FILTERGIF ? From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 6 23:46:28 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F141E37B401 for ; Sun, 6 Jul 2003 23:46:27 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CB7843F3F for ; Sun, 6 Jul 2003 23:46:27 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h676kRkN045438; Sun, 6 Jul 2003 23:46:27 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h676kOBI045437; Sun, 6 Jul 2003 23:46:24 -0700 (PDT) (envelope-from rizzo) Date: Sun, 6 Jul 2003 23:46:24 -0700 From: Luigi Rizzo To: Michael Sierchio Message-ID: <20030706234624.A45394@xorpc.icir.org> References: <200307070113.h671DPeG082710@freefall.freebsd.org> <3F08DABB.2020509@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3F08DABB.2020509@tenebras.com>; from kudzu@tenebras.com on Sun, Jul 06, 2003 at 07:28:11PM -0700 cc: freebsd-ipfw@FreeBSD.org cc: ari.suutari@syncrontech.com Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jul 2003 06:46:28 -0000 On Sun, Jul 06, 2003 at 07:28:11PM -0700, Michael Sierchio wrote: > Luigi Rizzo wrote: > > Synopsis: patches for ipfw2 to support ipsec packet filtering > > > > State-Changed-From-To: open->closed > > State-Changed-By: luigi > > State-Changed-When: Sun Jul 6 18:13:14 PDT 2003 > > State-Changed-Why: > > committed, thanks > > > Question: How does this interact with Sam Leffler's FAST_IPSEC ? i believe it works in the way you mention. luigi > That is, may we instead of > > options IPFIREWALL > options IPSEC > options IPSEC_ESP > options IPSEC_FILTERGIF > > do this > options IPFIREWALL > options FAST_IPSEC > options IPSEC_FILTERGIF > ? > > From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 7 11:01:42 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A3B6837B401 for ; Mon, 7 Jul 2003 11:01:42 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F40643F93 for ; Mon, 7 Jul 2003 11:01:42 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h67I1fUp033030 for ; Mon, 7 Jul 2003 11:01:41 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h67I1fBs033024 for ipfw@freebsd.org; Mon, 7 Jul 2003 11:01:41 -0700 (PDT) Date: Mon, 7 Jul 2003 11:01:41 -0700 (PDT) Message-Id: <200307071801.h67I1fBs033024@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jul 2003 18:01:42 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/01/26] kern/47529 ipfw natd/ipfw lose TCP packets for firewalled o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 2 problems total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/18] kern/51132 ipfw kernel part of ipfw1 processes 'to not me o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 4 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/01/05] bin/46785 ipfw [patch] add sets information to ipfw2 -h o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/04/20] kern/51182 ipfw ipfw2. -d list shows couters for dynamic 10 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 8 01:52:12 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8CA837B404; Tue, 8 Jul 2003 01:52:12 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4492743F3F; Tue, 8 Jul 2003 01:52:12 -0700 (PDT) (envelope-from luigi@FreeBSD.org) Received: from freefall.freebsd.org (luigi@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h688qCUp048966; Tue, 8 Jul 2003 01:52:12 -0700 (PDT) (envelope-from luigi@freefall.freebsd.org) Received: (from luigi@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h688qBMJ048962; Tue, 8 Jul 2003 01:52:11 -0700 (PDT) Date: Tue, 8 Jul 2003 01:52:11 -0700 (PDT) From: Luigi Rizzo Message-Id: <200307080852.h688qBMJ048962@freefall.freebsd.org> To: gavin@gcameron.org, luigi@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/51182: ipfw2. -d list shows couters for dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2003 08:52:13 -0000 Synopsis: ipfw2. -d list shows couters for dynamic rules State-Changed-From-To: open->closed State-Changed-By: luigi State-Changed-When: Tue Jul 8 01:51:41 PDT 2003 State-Changed-Why: committed a fix, thanks http://www.freebsd.org/cgi/query-pr.cgi?pr=51182 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 8 01:52:38 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD38B37B401; Tue, 8 Jul 2003 01:52:38 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 584B543F75; Tue, 8 Jul 2003 01:52:38 -0700 (PDT) (envelope-from luigi@FreeBSD.org) Received: from freefall.freebsd.org (luigi@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h688qcUp049011; Tue, 8 Jul 2003 01:52:38 -0700 (PDT) (envelope-from luigi@freefall.freebsd.org) Received: (from luigi@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h688qbhS049007; Tue, 8 Jul 2003 01:52:37 -0700 (PDT) Date: Tue, 8 Jul 2003 01:52:37 -0700 (PDT) From: Luigi Rizzo Message-Id: <200307080852.h688qbhS049007@freefall.freebsd.org> To: simon@nitro.dk, luigi@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: bin/46785: [patch] add sets information to ipfw2 -h X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2003 08:52:39 -0000 Synopsis: [patch] add sets information to ipfw2 -h State-Changed-From-To: open->closed State-Changed-By: luigi State-Changed-When: Tue Jul 8 01:52:24 PDT 2003 State-Changed-Why: committed a fix, thanks http://www.freebsd.org/cgi/query-pr.cgi?pr=46785 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 8 01:59:01 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBCC837B401; Tue, 8 Jul 2003 01:59:01 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 778E143F85; Tue, 8 Jul 2003 01:59:01 -0700 (PDT) (envelope-from luigi@FreeBSD.org) Received: from freefall.freebsd.org (luigi@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h688x1Up049266; Tue, 8 Jul 2003 01:59:01 -0700 (PDT) (envelope-from luigi@freefall.freebsd.org) Received: (from luigi@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h688x06u049262; Tue, 8 Jul 2003 01:59:00 -0700 (PDT) Date: Tue, 8 Jul 2003 01:59:00 -0700 (PDT) From: Luigi Rizzo Message-Id: <200307080859.h688x06u049262@freefall.freebsd.org> To: eugen@grosbein.pp.ru, luigi@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/51132: kernel part of ipfw1 processes 'to not me in recv rl0' incorrectly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2003 08:59:02 -0000 Synopsis: kernel part of ipfw1 processes 'to not me in recv rl0' incorrectly State-Changed-From-To: open->closed State-Changed-By: luigi State-Changed-When: Tue Jul 8 01:56:31 PDT 2003 State-Changed-Why: ipfw1 has never supported 'not me' correctly, so it cannot be a concern for backward compatibility. ipfw2 does support 'not me' http://www.freebsd.org/cgi/query-pr.cgi?pr=51132 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 8 02:45:25 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0AD937B401; Tue, 8 Jul 2003 02:45:25 -0700 (PDT) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4ED043FAF; Tue, 8 Jul 2003 02:45:23 -0700 (PDT) (envelope-from eugen@kuzbass.ru) Received: from kuzbass.ru (kost [213.184.65.82])h689jJCo030050; Tue, 8 Jul 2003 17:45:20 +0800 (KRAST) (envelope-from eugen@kuzbass.ru) Message-ID: <3F0A92AC.D17DA11D@kuzbass.ru> Date: Tue, 08 Jul 2003 17:45:16 +0800 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.8 [en] (Win98; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: Luigi Rizzo References: <200307080859.h688x06u049262@freefall.freebsd.org> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit cc: ipfw@FreeBSD.org cc: eugen@grosbein.pp.ru Subject: Re: kern/51132: kernel part of ipfw1 processes 'to not me in recvrl0' incorrectly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2003 09:45:26 -0000 Luigi Rizzo wrote: > > Synopsis: kernel part of ipfw1 processes 'to not me in recv rl0' incorrectly > > State-Changed-From-To: open->closed > State-Changed-By: luigi > State-Changed-When: Tue Jul 8 01:56:31 PDT 2003 > State-Changed-Why: > ipfw1 has never supported 'not me' correctly, so it cannot be > a concern for backward compatibility. > > ipfw2 does support 'not me' > > http://www.freebsd.org/cgi/query-pr.cgi?pr=51132 I think you should explicitly state in ipfw man page that 'not me' is not supported by ipfw1. Eugene Grosbein From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 8 19:31:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E21337B401 for ; Tue, 8 Jul 2003 19:31:27 -0700 (PDT) Received: from web13903.mail.yahoo.com (web13903.mail.yahoo.com [216.136.175.29]) by mx1.FreeBSD.org (Postfix) with SMTP id B91F943F93 for ; Tue, 8 Jul 2003 19:31:26 -0700 (PDT) (envelope-from zam4ever@yahoo.com) Message-ID: <20030709023126.39182.qmail@web13903.mail.yahoo.com> Received: from [203.106.58.82] by web13903.mail.yahoo.com via HTTP; Wed, 09 Jul 2003 03:31:26 BST Date: Wed, 9 Jul 2003 03:31:26 +0100 (BST) From: =?iso-8859-1?q?zam?= To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: zam4ever@yahoo.com Subject: Dynamic Bandwidth Allocation Using Dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2003 02:31:27 -0000 Hi, Currently my place using dummynet to distribute the bandwidth allocation among users. In my network, we have 42 VLAN, and in dummynet configuration we divide these LANs to 3 big groups. Let say A,B and C. By using cron daemon, we have set up 3 configuration files namely peak.conf, off-peak.conf and evening.conf. This file will be rotate in respective time like in crontab. Take a look at this sample of bandwith allocation during evening.conf: Group A - 700KBps Group B - 1500KBps Group C - 800KBps Let say Group A using 70% of the bandwidth, and at the same time, Group C utilize 100% of the bandwidth, is there any ways to make sure that the balance of group A (30%) will be given to Group C? cheers zam ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://uk.messenger.yahoo.com/ From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 8 21:34:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A875E37B404; Tue, 8 Jul 2003 21:34:26 -0700 (PDT) Received: from relay.boerde.de (relay.boerde.de [212.21.75.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C90C43FBF; Tue, 8 Jul 2003 21:32:55 -0700 (PDT) (envelope-from shauwn@relay.boerde.de) Received: by relay.boerde.de (Postfix, from userid 639) id 8CCE8FB2D; Wed, 9 Jul 2003 06:32:45 +0200 (MEST) Received: from localhost (localhost [127.0.0.1]) by relay.boerde.de (Postfix) with ESMTP id 9D53AFB32; Wed, 9 Jul 2003 06:32:45 +0200 (MEST) Date: Wed, 9 Jul 2003 06:32:45 +0200 (MEST) From: Frank Reppin To: =?iso-8859-1?q?zam?= In-Reply-To: <20030709023126.39182.qmail@web13903.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org Subject: Re: Dynamic Bandwidth Allocation Using Dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Frank.Reppin@boerde.de List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2003 04:34:27 -0000 Hi zam, ehlo list-members, On Wed, 9 Jul 2003, [iso-8859-1] zam wrote: [...] > Let say Group A using 70% of the bandwidth, and at the > same time, Group C utilize 100% of the bandwidth, is > there any ways to make sure that the balance of group > A (30%) will be given to Group C? afaict this isn't possible with dummynet itself. :/ But it isn't impossible at all - you can achieve the desired behaviour by using: http://www.csl.sony.co.jp/person/kjc/kjc/software.html#ALTQ Off this topic: =============== Imvho(1), the linux HTB development progress seems to outrun FreeBSD dummynet and even ALTQD(KAME) success... I wonder if there are any similiar projects (thoughts) in the *BSD world to compensate this? (if there's anything to compensate - ofcourse!... I didn't tried linux HTB so far by myself- but maybe there's someone out there who already did it and can share some deeper insights/thoughts!) thanks in advance and best regards, Frank Reppin Heidestr. 15 39112 Magdeburg (1) I can be very wrong - ofcourse! :) [but i don't think so.] :p We are a regional ISP using both - dummynet and ALTQD - to perform QoS to our customers (without having a budget for expensive hardware, since mostly everything is based on a volunteer basis). My colleagues here don't blame the currently smooth working solution - but they think that Linux HTB might perform better (scalability, accuracy, configuration tasks) than the *BSD solution. -- 43rd Law of Computing: Anything that can go wr fortune: Segmentation violation -- Core dumped From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 9 06:22:37 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D9B8A37B405 for ; Wed, 9 Jul 2003 06:22:37 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 27F2943F3F for ; Wed, 9 Jul 2003 06:22:37 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 54460 invoked from network); 9 Jul 2003 13:22:33 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 9 Jul 2003 13:22:33 -0000 Message-ID: <3F0C1719.3030303@tenebras.com> Date: Wed, 09 Jul 2003 06:22:33 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20030709023126.39182.qmail@web13903.mail.yahoo.com> In-Reply-To: <20030709023126.39182.qmail@web13903.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Dynamic Bandwidth Allocation Using Dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2003 13:22:38 -0000 zam wrote: That's very silly. Just state the goal or requirements clearly, and not in terms of your ad hoc solution. > Group A - 700KBps > Group B - 1500KBps > Group C - 800KBps > > Let say Group A using 70% of the bandwidth, and at the > same time, Group C utilize 100% of the bandwidth, is > there any ways to make sure that the balance of group > A (30%) will be given to Group C? Your math is a little odd -- Group A using 70% of the bandwidth, and at the same time, Group C utilize 100% -- that adds up to 170%. Are they sharing bandwidth or not? If so, all of everything must add up to 100% (1.0). With dummynet, you can fairly allocate bandwidth based on IP or net or type of traffic, and guarantee that the remainder will go to whomever you wish. At the same time, when there is no contention for bandwidth, any users may use up to 100%. Have you read the man page for ipfw? queue A queue is an abstraction used to implement the WF2Q+ (Worst- case Fair Weighted Fair Queueing) policy, which is an effi- cient variant of the WFQ policy. The queue associates a weight and a reference pipe to each flow, and then all backlogged (i.e., with packets queued) flows linked to the same pipe share the pipe's bandwidth pro- portionally to their weights. read this? http://info.iet.unipi.it/~luigi/ip_dummynet/ From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 9 06:24:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7BA837B401 for ; Wed, 9 Jul 2003 06:24:17 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id D371D43F85 for ; Wed, 9 Jul 2003 06:24:16 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 54473 invoked from network); 9 Jul 2003 13:24:16 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 9 Jul 2003 13:24:16 -0000 Message-ID: <3F0C1780.7010204@tenebras.com> Date: Wed, 09 Jul 2003 06:24:16 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: freebsd-isp@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: Dynamic Bandwidth Allocation Using Dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2003 13:24:18 -0000 Frank Reppin wrote: > Hi zam, > ehlo list-members, > > On Wed, 9 Jul 2003, [iso-8859-1] zam wrote: > > [...] > >>Let say Group A using 70% of the bandwidth, and at the >>same time, Group C utilize 100% of the bandwidth, is >>there any ways to make sure that the balance of group >>A (30%) will be given to Group C? > > > afaict this isn't possible with dummynet itself. :/ > > (1) I can be very wrong - ofcourse! :) Yes, well -- if you haven't taken the time to understand something, it's hard to express a preference for it over something you do know. Or think you do. See my other message. It's entirely possible to allocate bw and do so fairly with dummynet. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 9 07:38:47 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68D5037B404 for ; Wed, 9 Jul 2003 07:38:47 -0700 (PDT) Received: from hotmail.com (law10-f17.law10.hotmail.com [64.4.15.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCD5D43FAF for ; Wed, 9 Jul 2003 07:38:46 -0700 (PDT) (envelope-from bsf_40@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 9 Jul 2003 07:38:46 -0700 Received: from 64.1.192.61 by lw10fd.law10.hotmail.msn.com with HTTP; Wed, 09 Jul 2003 14:38:46 GMT X-Originating-IP: [64.1.192.61] X-Originating-Email: [bsf_40@hotmail.com] From: "B F" To: freebsd-ipfw@freebsd.org Date: Wed, 09 Jul 2003 14:38:46 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 09 Jul 2003 14:38:46.0865 (UTC) FILETIME=[CDE71C10:01C34627] Subject: ipfw/divert ruleset implementation question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2003 14:38:48 -0000 Sorry for posting to this developers list, but sending to the general freebsd-questions yielded no responses. Any advice would be appreciated. Thanks. ---------- I'd like to come up a ruleset that handles the following example. Suppose I have a daemon listeing on port 2000 and I'd like outside clients to be able to communicate with the daemon by addressing traffic to port 2000 or port 2001. So, suppose I have for my natd configuration: -redirect_port tcp 1.2.3.4:2000 1.2.3.4:2001 And then in my ipfw ruleset, if I use: add 100 divert natd tcp from any to 1.2.3.4 2001 in via rl0 add 101 divert natd tcp from 1.2.3.4 2000 to any out via rl0 It seems that traffic coming in normally to 1.2.3.4:2000 would enter fine. And traffic coming into 1.2.3.4:2001 would be diverted to natd which would rewrite the destination port as 1.2.3.4:2000. So far so good. But my concern is with the 101 ipfw rule...wouldn't it always rewrite traffic leaving from 1.2.3.4:2000 as 1.2.3.4:2001? In which case is there a way to distinguish the outbound divert to only take place if the traffic was initially diverted on the way in...some sort of divert keep-state? Thanks for any help or explanations. _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 9 09:30:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 601C337B401 for ; Wed, 9 Jul 2003 09:30:52 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id BD21543FAF for ; Wed, 9 Jul 2003 09:30:50 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 55086 invoked from network); 9 Jul 2003 16:30:49 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 9 Jul 2003 16:30:49 -0000 Message-ID: <3F0C4337.5020003@tenebras.com> Date: Wed, 09 Jul 2003 09:30:47 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ipfw/divert ruleset implementation question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2003 16:30:52 -0000 B F wrote: > I'd like to come up a ruleset that handles the following example. > Suppose I have a daemon listeing on port 2000 and I'd like outside > clients to be able to communicate with the daemon by addressing traffic > to port 2000 or port 2001. So, > > suppose I have for my natd configuration: > -redirect_port tcp 1.2.3.4:2000 1.2.3.4:2001 > > And then in my ipfw ruleset, if I use: > add 100 divert natd tcp from any to 1.2.3.4 2001 in via rl0 > add 101 divert natd tcp from 1.2.3.4 2000 to any out via rl0 What you are doing could simply be accomplished with add 100 divert natd tcp from any to any via rl0 If for some reason you need separate rules for in/out packets, give them the same rule number. > It seems that traffic coming in normally to 1.2.3.4:2000 would enter > fine. ... Whay are you speculating? > ....some sort of > divert keep-state? It's called 'natd' -- it keeps connection state. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 9 14:15:53 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66BB337B401 for ; Wed, 9 Jul 2003 14:15:53 -0700 (PDT) Received: from afrodite.gamk.com.br (4-094.ctame701-5.telepar.net.br [200.181.150.94]) by mx1.FreeBSD.org (Postfix) with SMTP id 4B94443F93 for ; Wed, 9 Jul 2003 14:15:51 -0700 (PDT) (envelope-from linke@calnet.com.br) Received: (qmail 13382 invoked from network); 9 Jul 2003 21:13:08 -0000 Received: from unknown (HELO work.gamk.com.br) (127.0.0.1) by 0 with SMTP; 9 Jul 2003 21:13:08 -0000 Date: Wed, 9 Jul 2003 18:13:08 -0300 From: Diego Linke - GAMK To: freebsd-ipfw@freebsd.org Message-Id: <20030709181308.573bacf4.linke@calnet.com.br> X-Mailer: Sylpheed version 0.9.3 (GTK+ 1.2.10; i386--netbsdelf) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: I have four ideia for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2003 21:15:53 -0000 I have four idea for IPFW2 (features): Idea 1) When using: ipfw add allow ip from any to me via xl0 is equal: ipfw add allow ip from any to { IP_xl0 or IP_xl1 or IP_rl0 or ... } via xl0 My idea is an keyword specific for each interface. Sample: ipfw add allow ip from any to me_xl0 via xl0 Idea 2) keyword "net" :-) As we have the IP and netmask of each interface, it would be easy to get the net. Sample: ipfw add allow ip from any to net_xl0 via xl0 Idea 3) The logs with more information, as ( tcpflags (syn,ack,fin,rst...), ipoptions, iplen, iptos, ipttl...) This could more be called by one keyword (ex: logfull) in the IPFW. Sample: ipfw add deny logfull ... Or an sysctl variable :-) Idea 4) When we execute: ipfw -qf flush The dynamic rules are flushed. My ideia is an option for define if Yes or No flushed Dyn Rule. Example: ipfw -nqf flush -n = Dont flush Dyn Rules. This would not erase the dyn rules and yes only the statics rules. As each dynamic rule is entailed to the one static rule, these dinamicas rules would be disentailed UP however. These are my ideas. Thanks for all :D -- [ Diego Linke - GAMK ] System/Network/Security Administrator E-Mail/Site: gamk@gamk.com.br - http://www.gamk.com.br Public Key: http://www.gamk.com.br/gamk.asc Phone Number: (+5541) 9967-3464 From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 9 16:44:10 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A7D737B401 for ; Wed, 9 Jul 2003 16:44:10 -0700 (PDT) Received: from ns1.itga.com.au (ns1.itga.com.au [202.53.40.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4242343FBD for ; Wed, 9 Jul 2003 16:44:09 -0700 (PDT) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns1.itga.com.au (8.12.9/8.12.9) with ESMTP id h69NhtUl057481; Thu, 10 Jul 2003 09:43:55 +1000 (EST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (localhost [127.0.0.1]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id JAA04684; Thu, 10 Jul 2003 09:43:55 +1000 (EST) Message-Id: <200307092343.JAA04684@lightning.itga.com.au> X-Mailer: exmh version 2.4 05/15/2001 with nmh-1.0.4 From: Gregory Bond To: Diego Linke - GAMK In-reply-to: Your message of Wed, 09 Jul 2003 18:13:08 -0300. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 10 Jul 2003 09:43:55 +1000 Sender: gnb@itga.com.au cc: freebsd-ipfw@freebsd.org Subject: Re: I have four ideia for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2003 23:44:10 -0000 > My idea is an keyword specific for each interface. > Sample: > ipfw add allow ip from any to me_xl0 via xl0 This is easy to do with a little bit of shell hacking in rc.firewall me_xl0=`ifconfig xl0 | awk '/inet /{ print $2;}'` Ditto for net_xl0. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 9 16:58:40 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8741637B401 for ; Wed, 9 Jul 2003 16:58:40 -0700 (PDT) Received: from m9.orbita.ru (m9.orbita.ru [193.192.144.253]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C89243F85 for ; Wed, 9 Jul 2003 16:58:38 -0700 (PDT) (envelope-from burba@okbmei.ru) Received: from ns.okbmei.msk.su (ns.okbmei.msk.su [193.192.155.19]) by m9.orbita.ru (8.11.3/8.11.4) with ESMTP id h69NwXT29103; Thu, 10 Jul 2003 03:58:33 +0400 (MSD) Received: from okbmei.ru (host26.ac.orbita.ru [193.192.144.136]) by ns.okbmei.msk.su (8.12.9/8.11.4) with ESMTP id h69NwS4d054620; Thu, 10 Jul 2003 03:58:29 +0400 (MSD) Message-ID: <3F0CAC20.7070206@okbmei.ru> Date: Thu, 10 Jul 2003 03:58:24 +0400 From: "Alex S. Burba" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.0) Gecko/20020530 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Gregory Bond References: <200307092343.JAA04684@lightning.itga.com.au> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-MailScanner-Information: Please contact the ISP for more information X-MailScanner: Found to be clean cc: freebsd-ipfw@freebsd.org cc: Diego Linke - GAMK Subject: Re: I have four ideia for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2003 23:58:40 -0000 Gregory Bond wrote: >>My idea is an keyword specific for each interface. >>Sample: >>ipfw add allow ip from any to me_xl0 via xl0 >> >> > >This is easy to do with a little bit of shell hacking in rc.firewall > me_xl0=`ifconfig xl0 | awk '/inet /{ print $2;}'` > >Ditto for net_xl0. > Ya, that's right.:) The power of ipfw in its simplicity. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 9 18:51:58 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B742B37B401 for ; Wed, 9 Jul 2003 18:51:58 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3A3843FB1 for ; Wed, 9 Jul 2003 18:51:57 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h6A1pmkN007937; Wed, 9 Jul 2003 18:51:48 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h6A1pjiB007936; Wed, 9 Jul 2003 18:51:45 -0700 (PDT) (envelope-from rizzo) Date: Wed, 9 Jul 2003 18:51:45 -0700 From: Luigi Rizzo To: Gregory Bond Message-ID: <20030709185145.A7164@xorpc.icir.org> References: <200307092343.JAA04684@lightning.itga.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200307092343.JAA04684@lightning.itga.com.au>; from gnb@itga.com.au on Thu, Jul 10, 2003 at 09:43:55AM +1000 cc: freebsd-ipfw@freebsd.org cc: Diego Linke - GAMK Subject: Re: I have four ideia for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2003 01:51:59 -0000 On Thu, Jul 10, 2003 at 09:43:55AM +1000, Gregory Bond wrote: > > My idea is an keyword specific for each interface. > > Sample: > > ipfw add allow ip from any to me_xl0 via xl0 > > This is easy to do with a little bit of shell hacking in rc.firewall > me_xl0=`ifconfig xl0 | awk '/inet /{ print $2;}'` actually not. "me" is evaluated at runtime so if the interface address changes your awk hack will fail. This said, "... to me_xl0 via xl0 " (where btw i do not understand the 'via' part as it will only make sense as 'in recv xl0') seems to break in case you are multihomed because it would require people to use a different address to talk to you according to which side they are... cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 10 02:13:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBDED37B401; Thu, 10 Jul 2003 02:13:17 -0700 (PDT) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9343043FA3; Thu, 10 Jul 2003 02:13:16 -0700 (PDT) (envelope-from ck-lists@cksoft.de) Received: from localhost (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 004EF1FFAE3; Thu, 10 Jul 2003 11:13:15 +0200 (CEST) Received: from majakka.cksoft.de (p508A896C.dip0.t-ipconnect.de [80.138.137.108]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by transport.cksoft.de (Postfix) with ESMTP id 7B5C71FF94D; Thu, 10 Jul 2003 11:13:08 +0200 (CEST) Received: from majakka.cksoft.de (localhost [127.0.0.1]) by majakka.cksoft.de (Postfix) with ESMTP id 8C40D44B35; Thu, 10 Jul 2003 11:12:50 +0200 (CEST) Received: by majakka.cksoft.de (Postfix, from userid 1000) id C151D44B33; Thu, 10 Jul 2003 11:12:49 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by majakka.cksoft.de (Postfix) with ESMTP id BF70D44B2E; Thu, 10 Jul 2003 11:12:49 +0200 (CEST) Date: Thu, 10 Jul 2003 11:12:49 +0200 (CEST) From: Christian Kratzer X-X-Sender: ck@majakka.cksoft.de To: Luigi Rizzo In-Reply-To: <20030706234624.A45394@xorpc.icir.org> Message-ID: <20030710110751.L84774@majakka.cksoft.de> References: <200307070113.h671DPeG082710@freefall.freebsd.org> <3F08DABB.2020509@tenebras.com> <20030706234624.A45394@xorpc.icir.org> X-Spammer-Kill-Ratio: 75% MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300-cksoft-02bz on majakka.cksoft.de X-Virus-Scanned: by AMaViS snapshot-20020300 cc: freebsd-ipfw@FreeBSD.org cc: ari.suutari@syncrontech.com Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Christian Kratzer List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2003 09:13:18 -0000 Hi, On Sun, 6 Jul 2003, Luigi Rizzo wrote: > On Sun, Jul 06, 2003 at 07:28:11PM -0700, Michael Sierchio wrote: > > Luigi Rizzo wrote: > > > Synopsis: patches for ipfw2 to support ipsec packet filtering > > > > > > State-Changed-From-To: open->closed > > > State-Changed-By: luigi > > > State-Changed-When: Sun Jul 6 18:13:14 PDT 2003 > > > State-Changed-Why: > > > committed, thanks > > > > > > Question: How does this interact with Sam Leffler's FAST_IPSEC ? > > i believe it works in the way you mention. > > luigi > > > That is, may we instead of > > > > options IPFIREWALL > > options IPSEC > > options IPSEC_ESP > > options IPSEC_FILTERGIF > > > > do this > > options IPFIREWALL > > options FAST_IPSEC > > options IPSEC_FILTERGIF We applied the patch to a RELENG_4 system but can't seem to be able to catch packets based on them having ipsec history or not. We have "options IPSEC_FILTERGIF" and "options IPFW2" in our kernel config. We currently have an ipsec esp tunnel running between two locations without any gif tunnels. IPSEC_FILTERGIF seems to be working fine as packets are now being filtered by our ipfw ruleset. We can't match any packets based on the ipsec or not ipsec flags in ipfw2. I just wanted to ask if somebody knows the obvious before I start digging my head in the code. Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Open Software Solutions, Network Security Fax: +49 7452 889-136 FreeBSD spoken here! From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 10 15:12:58 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 09E2737B401 for ; Thu, 10 Jul 2003 15:12:58 -0700 (PDT) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 568B843F75 for ; Thu, 10 Jul 2003 15:12:57 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107](untrusted sender)) by attbi.com (rwcrmhc12) with ESMTP id <200307102212560140063g4be>; Thu, 10 Jul 2003 22:12:56 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h6AMCbML061021; Thu, 10 Jul 2003 15:12:38 -0700 (PDT) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h6AMCWxF061020; Thu, 10 Jul 2003 15:12:32 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Thu, 10 Jul 2003 15:12:31 -0700 From: "Crist J. Clark" To: Diego Linke - GAMK Message-ID: <20030710221231.GB60029@blossom.cjclark.org> References: <20030709181308.573bacf4.linke@calnet.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030709181308.573bacf4.linke@calnet.com.br> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-ipfw@freebsd.org Subject: Re: I have four ideia for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2003 22:12:58 -0000 On Wed, Jul 09, 2003 at 06:13:08PM -0300, Diego Linke - GAMK wrote: > I have four idea for IPFW2 (features): > > > Idea 1) > > When using: > ipfw add allow ip from any to me via xl0 > is equal: > ipfw add allow ip from any to { IP_xl0 or IP_xl1 or IP_rl0 or ... } via xl0 > > My idea is an keyword specific for each interface. > Sample: > ipfw add allow ip from any to me_xl0 via xl0 I believe you are looking for the, net.inet.ip.check_interface sysctl(8) variable. > Idea 2) > > keyword "net" :-) > As we have the IP and netmask of each interface, it would be easy to get the net. > Sample: > ipfw add allow ip from any to net_xl0 via xl0 Do you really have a firewall whose attached networks behind it change dynamically? For the alternate case of dynamic anti-spoofing, something like, ipfw add allow ip from net_xl0 to any via xl0 The 'verrevpath' option already does that. > Idea 3) > > The logs with more information, as ( tcpflags (syn,ack,fin,rst...), ipoptions, iplen, iptos, ipttl...) > This could more be called by one keyword (ex: logfull) in the IPFW. > Sample: > ipfw add deny logfull ... > > Or an sysctl variable :-) I have ancient patches on my FreeBSD homepage for that. Maybe someday I'll update them or even commit them. > Idea 4) > > When we execute: > ipfw -qf flush > > The dynamic rules are flushed. > > My ideia is an option for define if Yes or No flushed Dyn Rule. > Example: > > ipfw -nqf flush > > -n = Dont flush Dyn Rules. > > This would not erase the dyn rules and yes only the statics rules. > As each dynamic rule is entailed to the one static rule, these dinamicas rules would be disentailed UP however. "Disentailed UP?" ENOPARSE. I think you are eluding to the problem that dynamic rules cannot exist in ipfw(8) without a parent rule. But I have no idea how you are proposing to get around that. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 12 00:22:23 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB93237B401 for ; Sat, 12 Jul 2003 00:22:23 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74AAD43FAF for ; Sat, 12 Jul 2003 00:22:23 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h6C7MMkN078770 for ; Sat, 12 Jul 2003 00:22:22 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h6C7MMqW078769 for ipfw@freebsd.org; Sat, 12 Jul 2003 00:22:22 -0700 (PDT) (envelope-from rizzo) Date: Sat, 12 Jul 2003 00:22:22 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Message-ID: <20030712002222.A78447@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Subject: [luigi@FreeBSD.org: cvs commit: src/sbin/ipfw ipfw2.c] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2003 07:22:24 -0000 FYI... just committed two new ipfw2 features: * support ranges in "list" and "show" commands. Now you can say ipfw show 100-1000 4000-8000 * implement comments in ipfw commands. These are implemented in the kernel as O_NOP commands (which always match) whose body contains the comment string. In userland, a comment is a C++-style comment appended to the rule: ipfw add allow ip from me to any // i can talk to everybody cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 12 10:41:35 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F33837B401 for ; Sat, 12 Jul 2003 10:41:35 -0700 (PDT) Received: from serio.al.rim.or.jp (serio.al.rim.or.jp [202.247.191.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55B2143FAF for ; Sat, 12 Jul 2003 10:41:34 -0700 (PDT) (envelope-from matoba@st.rim.or.jp) Received: from mail5.rim.or.jp by serio.al.rim.or.jp (3.7W/HMX-13) id CAA06738; Sun, 13 Jul 2003 02:41:32 +0900 (JST) Received: from localhost (ntkngw065054.kngw.nt.adsl.ppp.infoweb.ne.jp [219.104.201.54]) by mail5.rim.or.jp (8.9.3/3.7W) id CAA24328; Sun, 13 Jul 2003 02:41:32 +0900 (JST) Date: Sun, 13 Jul 2003 02:41:27 +0900 (JST) Message-Id: <20030713.024127.730548457.matoba@st.rim.or.jp> To: freebsd-ipfw@freebsd.org From: MATOBA Hirozumi In-Reply-To: <20030712002222.A78447@xorpc.icir.org> References: <20030712002222.A78447@xorpc.icir.org> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: [luigi@FreeBSD.org: cvs commit: src/sbin/ipfw ipfw2.c] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2003 17:41:35 -0000 On Sat, 12 Jul 2003 00:22:22 -0700, Luigi Rizzo wrote: | * implement comments in ipfw commands. These are implemented in the | kernel as O_NOP commands (which always match) whose body contains | the comment string. In userland, a comment is a C++-style comment | appended to the rule: | | ipfw add allow ip from me to any // i can talk to everybody I use ipfw like as /sbin/ipfw -p /usr/bin/cpp /etc/firewall because I put '#define", "#if 0", etc. in /etc/firewall. So some lines that are passed to ipfw_main() may be empty. But, in ipfw_main() of new ipfw2.c line 3609 (v 1.33 2003/07/12 08:35:25), if (l == 0) /* empty string! */ show_usage(); So when I used new ipfw, I got error below. command is /usr/bin/cpp usage: ipfw [options] do "ipfw -h" or see ipfw manpage for details I tried an ad hoc change if (l == 0) /* empty string! */ return(0); and re-compile ipfw, then ipfw worked as well as before updating ipfw. (I'm not sure this ad hoc change is proper or not) -- matoba@st.rim.or.jp