From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 12 22:06:14 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C292C16A49E for ; Sun, 12 Nov 2006 22:06:14 +0000 (UTC) (envelope-from andrei.manescu@clicknet.ro) Received: from proxy1.romtelecom.net (proxy1.romtelecom.net [86.35.15.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id D686C43DA1 for ; Sun, 12 Nov 2006 22:05:31 +0000 (GMT) (envelope-from andrei.manescu@clicknet.ro) Received: (qmail 7722 invoked from network); 12 Nov 2006 22:05:19 -0000 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on proxy1 X-Spam-Level: X-Spam-Status: No, score=0.4 required=5.0 tests=AWL,HTML_60_70,HTML_MESSAGE autolearn=disabled version=3.1.7 Received: from unknown (HELO notfag) (andrei.manescu@clicknet.ro@[86.120.240.208]) (envelope-sender ) by proxy1.romtelecom.net (qmail-ldap-1.03) with SMTP for ; 12 Nov 2006 22:05:14 -0000 Message-ID: <000001c706a6$a1f479c0$0201a8c0@notfag> From: "Andrei Manescu" To: Date: Mon, 13 Nov 2006 00:02:34 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Port forwardin FreeBSD 6.1 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Nov 2006 22:06:14 -0000 Hello, Do you have any tutorial on how to activate/user port forwarding on ipfw = and natd on a freebsd 6.1 system ? I have in rc.conf file: natd_flaggs=3D"-f /etc/natd.conf", but, after = rebooting, the system won't nat and won't respond to any ping. And do you know some command to run after every rc.conf/rc.firewall so = that it son't require rebooting ?? Thanks in advance. Great work. From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 13 11:08:22 2006 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1B8C16A5A9 for ; Mon, 13 Nov 2006 11:08:22 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B1E843D5A for ; Mon, 13 Nov 2006 11:08:22 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kADB8MS9091453 for ; Mon, 13 Nov 2006 11:08:22 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kADB8JVI091449 for freebsd-ipfw@FreeBSD.org; Mon, 13 Nov 2006 11:08:19 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 13 Nov 2006 11:08:19 GMT Message-Id: <200611131108.kADB8JVI091449@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Nov 2006 11:08:22 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent f kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from any to any ic o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewal o bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC addr arg wit o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the 14 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw sugestions about ipfw table p kern/103967 ipfw [ipfw] [patch] ipfw2 limit src-addr logging is not suf o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q 21 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 15 13:56:33 2006 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC26616A4D8 for ; Wed, 15 Nov 2006 13:56:33 +0000 (UTC) (envelope-from eternityos@free.fr) Received: from smtp6-g19.free.fr (smtp6-g19.free.fr [212.27.42.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DBA543D62 for ; Wed, 15 Nov 2006 13:56:24 +0000 (GMT) (envelope-from eternityos@free.fr) Received: from imp8-g19.free.fr (imp8-g19.free.fr [212.27.42.39]) by smtp6-g19.free.fr (Postfix) with ESMTP id 04CF743635 for ; Wed, 15 Nov 2006 14:56:13 +0100 (CET) Received: by imp8-g19.free.fr (Postfix, from userid 33) id 5FB608C43; Wed, 15 Nov 2006 15:25:05 +0100 (CET) Received: from 201.38.238.66 ([201.38.238.66]) by imp8-g19.free.fr (IMP) with HTTP for ; Wed, 15 Nov 2006 15:25:05 +0100 Message-ID: <1163600705.455b2341464d2@imp8-g19.free.fr> Date: Wed, 15 Nov 2006 15:25:05 +0100 From: eternityos@free.fr To: freebsd-ipfw@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.5 X-Originating-IP: 201.38.238.66 Cc: Subject: Re: Limit bandwidth on some ports more than others X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2006 13:56:33 -0000 Come on, Noone to help me on this one ? It's just 2 pipes (upload/download) and 6 queues (3 for upload / 3 for download) I just want to limitate bandwidth some more on ports 4662 and port 62731... Anyone please ? Hi everyone :) My traffic shaping is like this: ${fwcmd} pipe 3 config bw 64Kbit/s queue 10Kbytes # Upload ${fwcmd} pipe 4 config bw 192Kbit/s queue 10Kbytes # Download # Client ID = 9d1884960e7b310b028f5594843310f6 ${fwcmd} queue 1 config queue 10KBytes pipe 3 weight 10 ${fwcmd} queue 2 config queue 10KBytes pipe 4 weight 10 ${fwcmd} 1100 add queue 1 all from 172.16.1.0/30 to any out via ${oif0} # Upload ${fwcmd} 1101 add queue 2 all from any to 172.16.1.0/30 in via ${oif0} # Download ${fwcmd} 1102 add pass ${dbg} all from 172.16.1.0/30 to any setup # Client ID = a4a4ba939c4c052378efc827b0d13fec ${fwcmd} queue 3 config queue 10KBytes pipe 3 weight 10 ${fwcmd} queue 4 config queue 10KBytes pipe 4 weight 10 ${fwcmd} 1103 add queue 3 all from 172.16.91.0/27 to any out via ${oif0} # Upload ${fwcmd} 1104 add queue 4 all from any to 172.16.91.0/27 in via ${oif0} # Download ${fwcmd} 1105 add pass ${dbg} all from 172.16.91.0/27 to any setup # Client ID = 4e03b83b9511d1962436ee81e552586a ${fwcmd} queue 5 config queue 10KBytes pipe 3 weight 10 ${fwcmd} queue 6 config queue 10KBytes pipe 4 weight 10 ${fwcmd} 1106 add queue 5 all from 172.16.78.0/28 to any out via ${oif0} # Upload ${fwcmd} 1107 add queue 6 all from any to 172.16.78.0/28 in via ${oif0} # Download ${fwcmd} 1108 add pass ${dbg} all from 172.16.78.0/28 to any setup But some of my users have P2P apps... And I want to limit the p2p to 32Mb/s download and upload because it's overloading my bandiwdth. Let's say for example ports 4662 and port 62731... How could I limit for each subnet the p2p bandwidth with those rules without affecting everything else ? Thanks :) Pierre _______________________________ From owner-freebsd-ipfw@FreeBSD.ORG Sat Nov 18 07:51:48 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DA95B16A67A for ; Sat, 18 Nov 2006 07:51:48 +0000 (UTC) (envelope-from nilton.volpato@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id E471445801 for ; Sat, 18 Nov 2006 05:06:16 +0000 (GMT) (envelope-from nilton.volpato@gmail.com) Received: by nf-out-0910.google.com with SMTP id x37so1242459nfc for ; Fri, 17 Nov 2006 21:06:16 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=Ijj4FBh68bLSQjVMVwjKhf0B7o/yTZTBmawJFjo/wCrVEvaXP6YcHIK9OsueG4PjO4x4Gyv0hfzzXgxlNFsF42hS5D2zTkmupDRJLfXrvGigK4QhZMKfKdYEhfF9XIis/Ge4sHBpLTzVsC5+NkUjK9d/RL/RjH/tAL50RLMYN0c= Received: by 10.78.26.9 with SMTP id 9mr2345176huz.1163798932585; Fri, 17 Nov 2006 13:28:52 -0800 (PST) Received: by 10.78.126.15 with HTTP; Fri, 17 Nov 2006 13:28:52 -0800 (PST) Message-ID: <27fef5640611171328r2973167dm2b58e1dc2e393bb7@mail.gmail.com> Date: Fri, 17 Nov 2006 19:28:52 -0200 From: "Nilton Volpato" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: port redirection with natd and ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Nov 2006 07:51:49 -0000 Hi, I'm using a computer with FreeBSD as a gateway and NAT for a private LAN. Let's say the gateway has external.com as external address, and 192.168.0.1 as internal address, so that the LAN is 192.168.0.0/24. I'm doing a number of port redirects in the gateway, for svn, http, https, ssh, etc using natd. However, these port redirects do not work from inside the LAN. For instance, if I point my browser to http://external.com and I'm in the LAN, then it will not work. I can't use the internal address of the web server because none of the links will work on the web page. In summary, I want that my port redirections work also when I try to connect to the gateway's external address from inside the LAN. I'm using a minimal ipfw configuration to try to solve this. This is the default configuration. 00050 divert 8668 ip4 from any to any via vr0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any I tried to add: 00060 divert 8668 ip4 from 192.168.0.0/24 to external.com expecting that it would send the packets from LAN to natd, which would apply the port redirections. But it did not work. How can I solve this? Thanks, -- Nilton