From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 14 11:07:00 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 53954106567A for ; Mon, 14 Jul 2008 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 47E248FC18 for ; Mon, 14 Jul 2008 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m6EB70MY014450 for ; Mon, 14 Jul 2008 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m6EB6x0C014446 for freebsd-ipfw@FreeBSD.org; Mon, 14 Jul 2008 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 14 Jul 2008 11:06:59 GMT Message-Id: <200807141106.m6EB6x0C014446@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2008 11:07:00 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 15 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit 30 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 16 20:39:35 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D30DE1065691 for ; Wed, 16 Jul 2008 20:39:35 +0000 (UTC) (envelope-from mragusa@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.235]) by mx1.freebsd.org (Postfix) with ESMTP id 8C4978FC2E for ; Wed, 16 Jul 2008 20:39:35 +0000 (UTC) (envelope-from mragusa@gmail.com) Received: by wr-out-0506.google.com with SMTP id c8so2320756wra.27 for ; Wed, 16 Jul 2008 13:39:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=ub5plWE36yS1oFLX0Tcm4t3nLqXTFClv/3wNkVrv+Xg=; b=o4muS3J++EnaK6sAC/IMRYyc/Diw0ymOdQZ2rV9HRUd7F3RgEUMlg7tyueJVXw+gXn bFL5qG9XjoOYMlNUc63bKkatuc+Ka1q49d10/NmYz2Vihc/xeoZ8tPkGD4FWVaUel6np u5OxG0Uqwe7OJHrJagU2IwXYMPJonIsd+tTZI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=sCFoTRkmIg6dojuU9fpTD/kCoXp6lLnP07t7PPfvE/P+WLR/Qplc2bHcS4G5uCSDo7 Qfya0l4sbq1BhjctlO00VyL3Gf3p4wxbHDLseTHWz3WzBkm9qX8mh5z1BAdIerp9C+Zy MfRkc3G+fgmwNdrGCuUmHdy+mzv4pB2gaLuPg= Received: by 10.90.91.9 with SMTP id o9mr2082229agb.95.1216239229174; Wed, 16 Jul 2008 13:13:49 -0700 (PDT) Received: by 10.90.98.15 with HTTP; Wed, 16 Jul 2008 13:13:49 -0700 (PDT) Message-ID: <523561090807161313l17d01288g29b4c7545d10d0d0@mail.gmail.com> Date: Wed, 16 Jul 2008 16:13:49 -0400 From: "Mike Ragusa" To: freebsd-ipfw@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: ipfw and dynamic rulesets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jul 2008 20:39:35 -0000 I am using fwknop 1.9.5 and freebsd 7-stable with ipfw compiled into the kernel. I am currently unable to get ipfw to update the dynamic rulesets after i knock on the firewall and open up the ssh port. My ruleset is as follows ipfw add 010 allow from any to any via lo0 ipfw add 200 check-state ipfw add 203 allow all from any to any out keep-state setup 00010 allow ip from any to any via lo0 00200 check-state 00203 allow ip from any to any out setup keep-state 65535 deny ip from any to any fwknop uses rule 201 to add to the firewall and adds the rule 00201 allow tcp from 156.132.40.212 to any dst-port 22 keep-state when i run ipfw list or ipfw show, i see my ruleset but i do not see the dynamic rules which causes the connection to die once the fwknopd reaches its 30 second time out because nothing has been added to the state table/dynamic ruleset. Suggestions are welcome :) Thank You, Mike