From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 2 11:06:57 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF2711065692 for ; Mon, 2 Nov 2009 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C42568FC26 for ; Mon, 2 Nov 2009 11:06:57 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nA2B6v1q033638 for ; Mon, 2 Nov 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nA2B6v2L033636 for freebsd-ipfw@FreeBSD.org; Mon, 2 Nov 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Nov 2009 11:06:57 GMT Message-Id: <200911021106.nA2B6v2L033636@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Nov 2009 11:06:58 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 64 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 4 16:50:03 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D6681065692 for ; Wed, 4 Nov 2009 16:50:03 +0000 (UTC) (envelope-from jakub.bednar@avg.com) Received: from ms.grisoft.cz (ms.avg.com [193.85.188.248]) by mx1.freebsd.org (Postfix) with ESMTP id 2A6DA8FC20 for ; Wed, 4 Nov 2009 16:50:02 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by ms.grisoft.cz (Postfix) with SMTP id A4DF65B00FC for ; Wed, 4 Nov 2009 17:37:23 +0100 (CET) Received: from deimos.cz.avg.com (unknown [192.168.200.161]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ms.grisoft.cz (Postfix) with ESMTP id 8F8FA5B00F0 for ; Wed, 4 Nov 2009 17:37:23 +0100 (CET) Received: from [192.168.194.133] (192.168.194.133) by mail.cz.avg.com (192.168.200.162) with Microsoft SMTP Server id 8.2.176.0; Wed, 4 Nov 2009 17:37:23 +0100 From: jakub To: Content-Type: text/plain Date: Wed, 4 Nov 2009 17:37:23 +0100 Message-ID: <1257352643.7731.8.camel@dell> MIME-Version: 1.0 X-Mailer: Evolution 2.22.3.1 Content-Transfer-Encoding: 7bit Subject: Diverting sockets and streams X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2009 16:50:03 -0000 Hi list, I have a newbie question about divert sockets but I can't find a direct answer. I have a rule like this: ipfw add divert 5555 tcp from me to any 80 keep-state If I understand it correctly, in order to check the data stream properly I have to deal with: 1. packet reordering 2. packet duplication so basically I have to implement part of the TCP stack in my app. I don't have to bother with fragmentation (according to man pages). I won't be able to understand IPSec packets as I will get encrypted IP frames. Am I correct? Or can you please tell me how it really works? Thanks a lot, Jakub From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 4 17:44:47 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 806B0106566C for ; Wed, 4 Nov 2009 17:44:47 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outH.internet-mail-service.net (outh.internet-mail-service.net [216.240.47.231]) by mx1.freebsd.org (Postfix) with ESMTP id 68A428FC14 for ; Wed, 4 Nov 2009 17:44:47 +0000 (UTC) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id BE8F614DCCB; Wed, 4 Nov 2009 09:44:48 -0800 (PST) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id C63FA2D6013; Wed, 4 Nov 2009 09:44:46 -0800 (PST) Message-ID: <4AF1BD8E.207@elischer.org> Date: Wed, 04 Nov 2009 09:44:46 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: jakub References: <1257352643.7731.8.camel@dell> In-Reply-To: <1257352643.7731.8.camel@dell> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Diverting sockets and streams X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2009 17:44:47 -0000 jakub wrote: > Hi list, > > I have a newbie question about divert sockets but I can't find a direct > answer. > > I have a rule like this: > > ipfw add divert 5555 tcp from me to any 80 keep-state > > If I understand it correctly, in order to check the data stream properly > I have to deal with: > > 1. packet reordering > 2. packet duplication yes, divert treats each packet individually with the exception of frags which it reassembles. > > so basically I have to implement part of the TCP stack in my app. yes, though there may be other ways to do what you want.. what DO you want to do? > > I don't have to bother with fragmentation (according to man pages). > I won't be able to understand IPSec packets as I will get encrypted IP > frames. yes > > Am I correct? Or can you please tell me how it really works? packets enter the system and are run through the IP stack where the first thing they hit is ipfw. in ipfw the divert rule forces them to the divert code (which does reassembly but that's all) and passes the result to a divert socket. there is apossibilty that done correctly with ESP one migh tb eab;e to get to the unencrypted packet but you'd have to read the code starting at ip_input() in ip_input.c to check for sure. > > Thanks a lot, > > Jakub > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 5 08:46:25 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A721106566C for ; Thu, 5 Nov 2009 08:46:25 +0000 (UTC) (envelope-from jakub.bednar@avg.com) Received: from ms.grisoft.cz (ms.avg.com [193.85.188.248]) by mx1.freebsd.org (Postfix) with ESMTP id 87D6B8FC15 for ; Thu, 5 Nov 2009 08:46:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by ms.grisoft.cz (Postfix) with SMTP id 673FB5B00E9; Thu, 5 Nov 2009 09:46:23 +0100 (CET) Received: from deimos.cz.avg.com (unknown [192.168.200.161]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ms.grisoft.cz (Postfix) with ESMTP id 4E3DA5B0030; Thu, 5 Nov 2009 09:46:23 +0100 (CET) Received: from [192.168.194.110] (192.168.194.110) by mail.cz.avg.com (192.168.200.162) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 5 Nov 2009 09:46:22 +0100 Message-ID: From: Jakub Bednar To: Julian Elischer In-Reply-To: <4AF1BD8E.207@elischer.org> MIME-Version: 1.0 (Apple Message framework v936) Date: Thu, 5 Nov 2009 09:47:27 +0100 References: <1257352643.7731.8.camel@dell> <4AF1BD8E.207@elischer.org> X-Mailer: Apple Mail (2.936) Content-Type: text/plain; charset="US-ASCII"; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-ipfw@freebsd.org" Subject: Re: Diverting sockets and streams X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Nov 2009 08:46:25 -0000 Hi Julian, thanks for making this clear to me. > >> >> so basically I have to implement part of the TCP stack in my app. > > yes, > though there may be other ways to do what you want.. > what DO you want to do? > I need to make a transparent proxy e.g. HTTP proxy, that will be able to scan the data stream for some security problems (exploits or whatever). I had a solution based on packet forwarding and packet UID matching rather then divert sockets. This solution works fine on FreeBSD, Linux and Mac OS X Leopard. Hovewer in the new Mac OS X Snow Leopard, forwarding outgoing packets to local port does not work. So I'm looking for another solution. Jakub From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 5 08:56:26 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7B7F1065695 for ; Thu, 5 Nov 2009 08:56:26 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outD.internet-mail-service.net (outd.internet-mail-service.net [216.240.47.227]) by mx1.freebsd.org (Postfix) with ESMTP id BEEE38FC18 for ; Thu, 5 Nov 2009 08:56:26 +0000 (UTC) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id B1998CE0AA; Thu, 5 Nov 2009 00:56:26 -0800 (PST) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id 3FBFC2D601E; Thu, 5 Nov 2009 00:56:26 -0800 (PST) Message-ID: <4AF29339.3050102@elischer.org> Date: Thu, 05 Nov 2009 00:56:25 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Jakub Bednar References: <1257352643.7731.8.camel@dell> <4AF1BD8E.207@elischer.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-ipfw@freebsd.org" Subject: Re: Diverting sockets and streams X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Nov 2009 08:56:26 -0000 Jakub Bednar wrote: > Hi Julian, > > thanks for making this clear to me. > >> >>> >>> so basically I have to implement part of the TCP stack in my app. >> >> yes, >> though there may be other ways to do what you want.. >> what DO you want to do? >> > > I need to make a transparent proxy e.g. HTTP proxy, that will be able to > scan the data stream for some security problems (exploits or whatever). > > I had a solution based on packet forwarding and packet UID matching > rather then divert sockets. This solution works fine on FreeBSD, Linux > and Mac OS X Leopard. Hovewer in the new Mac OS X Snow Leopard, > forwarding outgoing packets to local port does not work. So I'm looking > for another solution. sounds like the broke it.. maybe they inherited a change from FreeBSD that was reverted out but existed for one release, that broke exactly that :-) ipfw fwd along with fwd uid is the way to do this on FreeBSD but snow leopard IS a problem. doing it with divert is going to be a real pain. you can also do this with nat in some cases I think.. > > Jakub