From owner-freebsd-ipfw Sun Jan 26 18:12:30 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42BED37B401 for ; Sun, 26 Jan 2003 18:12:29 -0800 (PST) Received: from aker.amduat.net (aker.amduat.net [206.124.149.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C69343EB2 for ; Sun, 26 Jan 2003 18:12:28 -0800 (PST) (envelope-from jbarrett@amduat.net) Received: from amduat.net (nat1.pogozone.net [216.57.201.115]) (authenticated bits=0) by aker.amduat.net (8.12.6/8.12.6) with ESMTP id h0R2CLWw057243 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Sun, 26 Jan 2003 18:12:22 -0800 (PST) (envelope-from jbarrett@amduat.net) Message-ID: <3E34953E.8000405@amduat.net> Date: Sun, 26 Jan 2003 18:11:10 -0800 From: "Jacob S. Barrett" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2.1) Gecko/20021130 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@FreeBSD.ORG Subject: Redirecting all outbound traffic to internal website Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I want to be able to redirect all outbound traffic from a particular address range, 10.128.0.0/16, to an internal server 10.1.1.1. This way if they try to browse to www.yahoo.com, or any other site, they really just get my website. In know this can be done. I have done it once before, but now I can't remember how I did it. I have spent hours searching the archives at google with no luck. I know it is some combination of ipfw and natd, but I can't seem to hit the right combination. I want the destination IP translated to 10.1.1.1 for all ip traffic from 10.128.0.0/16. Any clues? -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 27 2:56:21 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D00B37B401 for ; Mon, 27 Jan 2003 02:56:18 -0800 (PST) Received: from thufir.bluecom.no (thufir.bluecom.no [217.118.32.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30ECC43F6B for ; Mon, 27 Jan 2003 02:56:17 -0800 (PST) (envelope-from erik@pentadon.com) Received: from erik (a217-118-56-152.bluecom.no [217.118.56.152]) by thufir.bluecom.no (Postfix) with ESMTP id 2FB0150ECA1; Mon, 27 Jan 2003 11:56:10 +0100 (CET) From: =?iso-8859-1?Q?Erik_Paulsen_Sk=E5lerud?= To: "'Jacob S. Barrett'" , Subject: RE: Redirecting all outbound traffic to internal website Date: Mon, 27 Jan 2003 11:56:06 +0100 MIME-Version: 1.0 Message-ID: <001d01c2c5f2$b1aa22f0$0a00000a@lan.tekniker.no> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 In-Reply-To: <3E34953E.8000405@amduat.net> Content-Type: multipart/signed; micalg=SHA1; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_0018_01C2C5FB.12A03E70" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0018_01C2C5FB.12A03E70 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit ipfw add fwd 10.1.1.1 tcp from 10.128.0.0/16 to any Erik. -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG] On Behalf Of Jacob S. Barrett Sent: Monday, January 27, 2003 3:11 AM To: freebsd-ipfw@FreeBSD.ORG Subject: Redirecting all outbound traffic to internal website I want to be able to redirect all outbound traffic from a particular address range, 10.128.0.0/16, to an internal server 10.1.1.1. This way if they try to browse to www.yahoo.com, or any other site, they really just get my website. In know this can be done. I have done it once before, but now I can't remember how I did it. I have spent hours searching the archives at google with no luck. I know it is some combination of ipfw and natd, but I can't seem to hit the right combination. I want the destination IP translated to 10.1.1.1 for all ip traffic from 10.128.0.0/16. Any clues? -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message ------=_NextPart_000_0018_01C2C5FB.12A03E70 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII7TCCAnww ggHloAMCAQICAwhv7zANBgkqhkiG9w0BAQQFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw MC44LjMwMB4XDTAyMTAwODE5Mzg0NloXDTAzMTAwODE5Mzg0NlowQzEfMB0GA1UEAxMWVGhhd3Rl IEZyZWVtYWlsIE1lbWJlcjEgMB4GCSqGSIb3DQEJARYRZXJpa0BwZW50YWRvbi5jb20wgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAOLvGK5AC/mpa/owuZsPD4db9+ZHhPA9VK7lbxSjoARoSbjb Ils0q//PFAsEemIp2/gn0E9uTT7Ql7Au22R0JAOnUgO2AKNxrH1y3HohQgvauJSOl8inSRC6+2zO dP0tjIJgrODTQjnDPdkDbaSg0KUi04Iytwpm1YMaBR4ptw0ZAgMBAAGjLjAsMBwGA1UdEQQVMBOB EWVyaWtAcGVudGFkb24uY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEARBNXkrY2 oe1LAH3i6x1T7+BzkRwjfOpAnJ43SmJ/sMfGZCaEQWVZbtJZVQjvk4JMYg3/Msr2TxNpj96p6uAh qXP5bmllJ4g7dRFMoN0i7p2RoEhK6VC9is4cUe3xtHkwyhxSrZuQMRz/CcLtn2xRYfdDK6mnef9f Lem0V1w0FDswggMtMIIClqADAgECAgEAMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEV MBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0 ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQw IgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNOTYwMTAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCB 0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2 aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJ KoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQDUadfUsJRkW3HpR9gMUbbqcpGwhF59LQ2PexLfhSV1KHQ6QixjJ5+Ve0vvfhmH HYbqo925zpZkGsIUbkSsfOaP6E0PcR9AOKYAo4d49vmUhl6t6sBeduvZFKNdbnp8DKVLVX8GGSl/ npom1Wq7OCQIapjHsdqjmJH9edvlWsQcuQIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqG SIb3DQEBBAUAA4GBAMfskn5O+PWWpWdiKqTwTRFg0G+NYFhhrCa7UjVcCM8w+6hKloofYkIjjBcP 9LpknBesRynfnZhe0mxgcVyirNx54+duAEcftQ0o6AKd5Jr9E/Sm2Xyx+NxfIyYJkYBz0BQb3kOp gyXy5pwvFcr+pquKB3WLDN1RhGvk+NHOd6KBMIIDODCCAqGgAwIBAgIQZkVyt8x09c9jdkWE0C6R ATANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTES MBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFs IEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29t MB4XDTAwMDgzMDAwMDAwMFoXDTA0MDgyNzIzNTk1OVowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQI EwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNB IDIwMDAuOC4zMDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXa iBmClw7jRCmKYzUqbXA8+tyu9+50bzC8M5B/+TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2S dagnrthy+boC9tewkd4c6avgGAOofENCUFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEA AaNOMEwwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB /wQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBADGxS0dd+QFx5fVTbF15 1j2YwCYTYoEipxL4IpXoG0m3J3sEObr85vIk65H6vewNKjj3UFWobPcNrUwbvAP0teuiR59sogxY jTFCCRFssBpp0SsSskBdavl50OouJd2K5PzbDR+dAvNa28o89kTqJmmHf0iezqWf54TYyWJirQXG MYIDaTCCA2UCAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQ BgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBT ZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDCG/vMAkG BSsOAwIaBQCgggIkMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAz MDEyNzEwNTYwNVowIwYJKoZIhvcNAQkEMRYEFCJjWUghtqiQRbZUD/VAJ5Wi3+hRMGcGCSqGSIb3 DQEJDzFaMFgwCgYIKoZIhvcNAwcwBwYFKw4DAhowDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAoGCCqGSIb3DQIFMIGrBgkrBgEEAYI3EAQxgZ0w gZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg VG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYG A1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDCG/vMIGtBgsqhkiG9w0BCRAC CzGBnaCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ Q2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2Vz MSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMIb+8wDQYJKoZIhvcN AQEBBQAEgYBPgQxolbsM4TBb2wbaCo4pncmh/Adz8lgmt7wXqVWA7bMzMeVcMvbAiYCD9wb3itkQ KzYjEwA10aBDzp/9GvrwzI2WV6QacXnvqHcm3rXPffHo+KFG3ACm/+ymRJMpoLMeezL1VVD4ajOj rf3mXJM+MUeBObSll1i7Pv+oFndrHQAAAAAAAA== ------=_NextPart_000_0018_01C2C5FB.12A03E70-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 27 7:36:45 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07CC237B401 for ; Mon, 27 Jan 2003 07:36:44 -0800 (PST) Received: from aker.amduat.net (aker.amduat.net [206.124.149.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42E5943EB2 for ; Mon, 27 Jan 2003 07:36:43 -0800 (PST) (envelope-from jbarrett@amduat.net) Received: from amduat.net (trilluser@osiris.amduat.net [10.0.0.69]) (authenticated bits=0) by aker.amduat.net (8.12.6/8.12.6) with ESMTP id h0RFaZWw059056 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Mon, 27 Jan 2003 07:36:37 -0800 (PST) (envelope-from jbarrett@amduat.net) Message-ID: <3E3551ED.5070909@amduat.net> Date: Mon, 27 Jan 2003 07:36:13 -0800 From: "Jacob S. Barrett" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2.1) Gecko/20021130 X-Accept-Language: en-us, en MIME-Version: 1.0 To: =?ISO-8859-1?Q?Erik_Paulsen_Sk=E5lerud?= Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Redirecting all outbound traffic to internal website References: <001d01c2c5f2$b1aa22f0$0a00000a@lan.tekniker.no> In-Reply-To: <001d01c2c5f2$b1aa22f0$0a00000a@lan.tekniker.no> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This won't change the destination addess of the packet, it just forwards it to that address at which point it is dropped since it doesn't have the correct address in the destination. I think I figured it out last night, but I haven't had much time to test it. How does this look? Is there something better? # natd -a 10.129.0.1 -in_port 12345 -out_port 12346 -target_address 10.0.0.1 #ipfw add divert 12345 ip from 10.128.0.0/16 to any #ipfw add divert 12346 ip from 10.0.0.1 to 10.128.0.0/16 -Jake Erik Paulsen Skålerud wrote: > ipfw add fwd 10.1.1.1 tcp from 10.128.0.0/16 to any > > Erik. > > -----Original Message----- > From: owner-freebsd-ipfw@FreeBSD.ORG > [mailto:owner-freebsd-ipfw@FreeBSD.ORG] On Behalf Of Jacob S. Barrett > Sent: Monday, January 27, 2003 3:11 AM > To: freebsd-ipfw@FreeBSD.ORG > Subject: Redirecting all outbound traffic to internal website > > > I want to be able to redirect all outbound traffic from a particular > address range, 10.128.0.0/16, to an internal server 10.1.1.1. This way > if they try to browse to www.yahoo.com, or any other site, they really > just get my website. In know this can be done. I have done it once > before, but now I can't remember how I did it. I have spent hours > searching the archives at google with no luck. I know it is some > combination of ipfw and natd, but I can't seem to hit the right > combination. > > I want the destination IP translated to 10.1.1.1 for all ip traffic from > > 10.128.0.0/16. > > Any clues? > -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 28 15: 1:41 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 197C737B401 for ; Tue, 28 Jan 2003 15:01:40 -0800 (PST) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C99443F85 for ; Tue, 28 Jan 2003 15:01:39 -0800 (PST) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 9B89F10BF96; Wed, 29 Jan 2003 00:01:34 +0100 (CET) Date: Wed, 29 Jan 2003 00:01:34 +0100 From: "Simon L. Nielsen" To: freebsd-ipfw@freebsd.org Subject: Error in ipfw manpage for stateful rules? Message-ID: <20030128230133.GF414@nitro.dk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XvKFcGCOAo53UbWW" Content-Disposition: inline User-Agent: Mutt/1.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --XvKFcGCOAo53UbWW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello The ipfw man page for stateful rules has two examples. Shouldn't the allow rule have a keep-state keyword ? So ipfw add check-state ipfw add allow tcp from my-subnet to any setup ipfw add deny tcp from any to any is changed to ipfw add check-state ipfw add allow tcp from my-subnet to any setup keep-state ipfw add deny tcp from any to any And similar for udp. --=20 Simon L. Nielsen --XvKFcGCOAo53UbWW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+NwvN8kocFXgPTRwRAqpcAJ0XbhVx7IJWXYAsge7xc6yqLP6FMACfVzq3 H4tYwZNGHPX8Bi10eZMY8uw= =+1wZ -----END PGP SIGNATURE----- --XvKFcGCOAo53UbWW-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 29 4:16: 0 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86B5337B401 for ; Wed, 29 Jan 2003 04:15:59 -0800 (PST) Received: from parati.mdbrasil.com.br (parati.mdbrasil.com.br [200.210.70.4]) by mx1.FreeBSD.org (Postfix) with SMTP id 75D8043F3F for ; Wed, 29 Jan 2003 04:15:56 -0800 (PST) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 34811 invoked by uid 85); 29 Jan 2003 12:15:38 -0000 Received: from eksffa@freebsdbrasil.com.br by parati.mdbrasil.com.br with qmail-scanner-1.03 (uvscan: v4.1.40/v4181. . Clean. Processed in 2.59031 secs); 29 Jan 2003 12:15:38 -0000 Received: from unknown (HELO freebsdbrasil.com.br) (200.210.42.5) by parati.mdbrasil.com.br with SMTP; 29 Jan 2003 12:15:35 -0000 Message-ID: <3E37948E.2020100@freebsdbrasil.com.br> Date: Wed, 29 Jan 2003 06:45:02 -0200 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20030104 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: echoo Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, anybody there?? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 29 5: 2:40 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 982FC37B401 for ; Wed, 29 Jan 2003 05:02:39 -0800 (PST) Received: from parati.mdbrasil.com.br (parati.mdbrasil.com.br [200.210.70.4]) by mx1.FreeBSD.org (Postfix) with SMTP id 37E5E43F43 for ; Wed, 29 Jan 2003 05:02:38 -0800 (PST) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 60896 invoked by uid 85); 29 Jan 2003 13:02:27 -0000 Received: from eksffa@freebsdbrasil.com.br by parati.mdbrasil.com.br with qmail-scanner-1.03 (uvscan: v4.1.40/v4181. . Clean. Processed in 3.831288 secs); 29 Jan 2003 13:02:27 -0000 Received: from unknown (HELO freebsdbrasil.com.br) (200.210.42.5) by parati.mdbrasil.com.br with SMTP; 29 Jan 2003 13:02:23 -0000 Message-ID: <3E379F8D.20700@freebsdbrasil.com.br> Date: Wed, 29 Jan 2003 07:31:57 -0200 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20030104 X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD IPFIREWALL List Subject: Re: echoo References: <1856157FD835724F81273BB79370992F18EF29@fs03.patent.bmwa.gv.at> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Great; good to know i am not the only one here. I have recently sent some questions, but got no response, comments, and havent received messages from this list for some time. Is it usually so quiet? I believed this to be a more appropriate place to send messages concerning ipfw stuff, but on questions and -current it seems to be more intensive. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 29 11:51:46 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A8BF37B405 for ; Wed, 29 Jan 2003 11:51:45 -0800 (PST) Received: from mailout08.sul.t-online.com (mailout08.sul.t-online.com [194.25.134.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF7CC43F9B for ; Wed, 29 Jan 2003 11:51:44 -0800 (PST) (envelope-from markus-weissmann@gmx.de) Received: from fwd00.sul.t-online.de by mailout08.sul.t-online.com with smtp id 18dyFJ-0004zn-01; Wed, 29 Jan 2003 20:51:41 +0100 Received: from gmx.de (320075531089-0001@[80.140.78.133]) by fmrl00.sul.t-online.com with esmtp id 18dyF8-1TiuS8C; Wed, 29 Jan 2003 20:51:30 +0100 Date: Wed, 29 Jan 2003 20:51:51 +0100 Mime-Version: 1.0 (Apple Message framework v551) Content-Type: text/plain; charset=US-ASCII; format=flowed Subject: traffic shaping with ipfw? From: Markus Weissmann To: freebsd-ipfw@FreeBSD.ORG Content-Transfer-Encoding: 7bit Message-Id: <1C6134BC-33C3-11D7-9067-000393B7748C@gmx.de> X-Mailer: Apple Mail (2.551) X-Sender: 320075531089-0001@t-dialin.net Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Folks! We've got a dsl-connection here with 768/128 KBit up/down. The Probem is, when for example uploading lots of stuff, the download goes down badly... and more problematic: The responsiveness of ssh-connections or the like go down to point of unuseability. Solution as far: create dummy_net pipe with 90% of the upload bandwith and stuff all traffic going out there; but before, take out out the packets with small size (those are most propably the syn/ack and ssh packets?) and let them pass. tun0 is the external device --- allow udp from any to any out xmit tun0 allow icmp from any to any out xmit tun0 allow tcp from any to any { iplen 32 or iplen 33 or iplen 34 or iplen 35 or iplen 36 or iplen 37 or iplen 38 or iplen 39 or ... iplen 62 or iplen 63 or iplen 64 } out xmit tun0 queue 1 ip from any to any out xmit tun0 --- any suggestions on this? (the 3rd line doesnt pleasure me too much...) the responsiveness of ssh-sessions is only slightly improved (hehe, a "allow tcp from any to any 22 out xmit tun0" wont do the trick, cause if someone does a 'scp' I'm doomed) thanx in advance, Markus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 29 12:50:33 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 955AB37B401 for ; Wed, 29 Jan 2003 12:50:31 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2ABB043F43 for ; Wed, 29 Jan 2003 12:50:31 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id h0TKoP8a062906; Wed, 29 Jan 2003 12:50:25 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.3/8.12.3/Submit) id h0TKoPnh062905; Wed, 29 Jan 2003 12:50:25 -0800 (PST) (envelope-from rizzo) Date: Wed, 29 Jan 2003 12:50:24 -0800 From: Luigi Rizzo To: Markus Weissmann Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: traffic shaping with ipfw? Message-ID: <20030129125024.A62382@xorpc.icir.org> References: <1C6134BC-33C3-11D7-9067-000393B7748C@gmx.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1C6134BC-33C3-11D7-9067-000393B7748C@gmx.de>; from markus-weissmann@gmx.de on Wed, Jan 29, 2003 at 08:51:51PM +0100 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG one option would be to extend the "iplen" syntax to accommodate ranges. This should be trivial to implement. cheers luigi On Wed, Jan 29, 2003 at 08:51:51PM +0100, Markus Weissmann wrote: > Hi Folks! > > We've got a dsl-connection here with 768/128 KBit up/down. > The Probem is, when for example uploading lots of stuff, the > download goes down badly... > and more problematic: The responsiveness of ssh-connections > or the like go down to point of unuseability. > > Solution as far: > create dummy_net pipe with 90% of the upload bandwith and > stuff all traffic going out there; but before, take out > out the packets with small size (those are most propably the > syn/ack and ssh packets?) and let them pass. > > tun0 is the external device > --- > allow udp from any to any out xmit tun0 > allow icmp from any to any out xmit tun0 > allow tcp from any to any { iplen 32 or iplen 33 or iplen 34 or iplen > 35 or iplen 36 or iplen 37 or iplen 38 or iplen 39 or ... iplen 62 or > iplen 63 or iplen 64 } out xmit tun0 > queue 1 ip from any to any out xmit tun0 > --- > > any suggestions on this? (the 3rd line doesnt pleasure me too much...) > the responsiveness of ssh-sessions is only slightly improved > (hehe, a "allow tcp from any to any 22 out xmit tun0" wont do the > trick, cause > if someone does a 'scp' I'm doomed) > > > thanx in advance, > > Markus > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 29 12:55:37 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F4B237B43F for ; Wed, 29 Jan 2003 12:55:36 -0800 (PST) Received: from firewater.f5.com (mulder.f5.com [205.229.151.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 730F443E4A for ; Wed, 29 Jan 2003 12:55:34 -0800 (PST) (envelope-from b.knotwell@f5.com) Received: from f5-exchange2.f5net.com (f5-exchange2.f5net.com [192.168.11.214]) by firewater.f5.com (8.12.1/8.12.1) with ESMTP id h0TKR7Ow020779 for ; Wed, 29 Jan 2003 12:27:07 -0800 Received: by f5-exchange2 with Internet Mail Service (5.5.2653.19) id ; Wed, 29 Jan 2003 12:55:27 -0800 Received: from [192.168.1.2] (knotwell2.dev.net [192.168.101.136]) by f5-exchange.f5net.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id DL4F1DR7; Wed, 29 Jan 2003 12:55:25 -0800 From: Brad Knotwell To: freebsd-ipfw@freebsd.org Subject: using dummynet to simulate path MTU Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8 (1.0.8-10) Date: 29 Jan 2003 12:57:13 -0800 Message-Id: <1043873833.14193.62.camel@linuxws> Mime-Version: 1.0 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello all-- If possible, I'd like to simulate path MTU discovery with two machines. I'd hoped to use dummynet as a "fake router." Has anyone done this before. Thanks. --Brad To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 29 18:25:25 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5777937B401 for ; Wed, 29 Jan 2003 18:25:24 -0800 (PST) Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9281843F43 for ; Wed, 29 Jan 2003 18:25:23 -0800 (PST) (envelope-from nick@rogness.net) Received: from skywalker.rogness.net (localhost [127.0.0.1]) by skywalker.rogness.net (8.12.5/8.12.5) with ESMTP id h0U2PIFH069456; Wed, 29 Jan 2003 19:25:18 -0700 (MST) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by skywalker.rogness.net (8.12.5/8.12.5/Submit) with ESMTP id h0U2PHq3069453; Wed, 29 Jan 2003 19:25:17 -0700 (MST) X-Authentication-Warning: skywalker.rogness.net: nick owned process doing -bs Date: Wed, 29 Jan 2003 19:25:14 -0700 (MST) From: Nick Rogness To: "Simon L. Nielsen" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Error in ipfw manpage for stateful rules? In-Reply-To: <20030128230133.GF414@nitro.dk> Message-ID: <20030129191619.E69407-100000@skywalker.rogness.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 29 Jan 2003, Simon L. Nielsen wrote: > > Hello > > The ipfw man page for stateful rules has two examples. Shouldn't the > allow rule have a keep-state keyword ? > > So > > ipfw add check-state > ipfw add allow tcp from my-subnet to any setup > ipfw add deny tcp from any to any > > is changed to > > ipfw add check-state > ipfw add allow tcp from my-subnet to any setup keep-state > ipfw add deny tcp from any to any > > And similar for udp. I just verified that you are correct. I wasn't sure if setup implied keep-state or not (don't know why it would). I just typed it in and you definetly need the keep-state keyword with the rule. I did a quick search for this mentioned in the PR database and didn't find a match. Do a more thorough check and make sure someone has not already submitted a PR for this, then submit a PR. Or if not, I can. Nick Rogness - How many people here have telekenetic powers? Raise my hand. -Emo Philips To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 30 2:10:27 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 867B837B401 for ; Thu, 30 Jan 2003 02:10:26 -0800 (PST) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id A38B843E4A for ; Thu, 30 Jan 2003 02:10:25 -0800 (PST) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id E507410BF96; Thu, 30 Jan 2003 11:10:19 +0100 (CET) Date: Thu, 30 Jan 2003 11:10:19 +0100 From: "Simon L. Nielsen" To: Nick Rogness Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Error in ipfw manpage for stateful rules? Message-ID: <20030130101018.GB372@nitro.dk> References: <20030128230133.GF414@nitro.dk> <20030129191619.E69407-100000@skywalker.rogness.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="JYK4vJDZwFMowpUq" Content-Disposition: inline In-Reply-To: <20030129191619.E69407-100000@skywalker.rogness.net> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --JYK4vJDZwFMowpUq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.01.29 19:25:14 +0000, Nick Rogness wrote: > I did a quick search for this mentioned in the PR database and > didn't find a match. Do a more thorough check and make sure > someone has not already submitted a PR for this, then > submit a PR. Or if not, I can. Thanks for looking at it. I will look more into it and submit a PR. I just wanted to make sure I hadn't missed something obvious. --=20 Simon L. Nielsen --JYK4vJDZwFMowpUq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+OPoK8kocFXgPTRwRAvfQAJ4y6hY3lkFsTm9PeKTe/5kqdcYI+wCgycFD bw91XuZzkgQwlCgTPB3dRiw= =wOFV -----END PGP SIGNATURE----- --JYK4vJDZwFMowpUq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 30 4:52:30 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 391D437B401 for ; Thu, 30 Jan 2003 04:52:30 -0800 (PST) Received: from mail.geoseis.t72.ru (geoseis.t72.ru [193.111.45.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 73E9043E4A for ; Thu, 30 Jan 2003 04:52:28 -0800 (PST) (envelope-from shy@geoseis.t72.ru) Received: from leon.geoseis (leon.geoseis [192.168.1.10]) by tower.geoseis.t72.ru (8.12.6/8.11.6) with ESMTP id h0UCoi9l026777 for ; Thu, 30 Jan 2003 17:50:44 +0500 (YEKT) (envelope-from shy@geoseis.t72.ru) Date: Thu, 30 Jan 2003 17:50:44 +0500 From: Sergey Klusov X-Mailer: The Bat! (v1.62 Christmas Edition) Reply-To: Sergey Klusov X-Priority: 3 (Normal) Message-ID: <1349648834.20030130175044@geoseis.t72.ru> To: freebsd-ipfw@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG test To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 30 5:12:48 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C530037B401 for ; Thu, 30 Jan 2003 05:12:46 -0800 (PST) Received: from mail.geoseis.t72.ru (geoseis.t72.ru [193.111.45.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA0B743F3F for ; Thu, 30 Jan 2003 05:12:45 -0800 (PST) (envelope-from shy@geoseis.t72.ru) Received: from leon.geoseis (leon.geoseis [192.168.1.10]) by tower.geoseis.t72.ru (8.12.6/8.11.6) with ESMTP id h0UDBI9l026977 for ; Thu, 30 Jan 2003 18:11:18 +0500 (YEKT) (envelope-from shy@geoseis.t72.ru) Date: Thu, 30 Jan 2003 10:25:35 +0500 From: Sergey Klusov X-Mailer: The Bat! (v1.62 Christmas Edition) Reply-To: freebsd-ipfw@FreeBSD.ORG X-Priority: 3 (Normal) Message-ID: <124904071.20030130102535@geoseis.t72.ru> To: freebsd-ipfw@FreeBSD.ORG Subject: ipfw2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, i've got a problem with ipfw2 here is my config ipfw add 50 divert natd all from any to any via ${extif} ipfw add 100 check-state ipfw add 200 deny log tcp from any to any established ipfw add 300 permit tcp from any to any setup almost always there is a logged message like this, WHEN the connection terminates Everything works fine but full log of this: Jan 10 12:04:24 tower /kernel: ipfw: 200 Deny TCP 217.66.99.188:80 193.111.x.x:1147 in via rl1 i've tried to intercept this packets with tcpdump and figured out, what those packets logged are TCP packets with FIN flag. And it seems, that many hosts send multiple FIN packets, wich causes to remove dynamic rule on first FIN packet and then log that message above on all subsequent packets. Also i must notice that it is not diverted packets logged, because we use squid, which is on the same host. So i doubt what this is a NAT issue. Any ideas? -- Best regards, Sergey Klusov To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 30 6:13:44 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F04DD37B401 for ; Thu, 30 Jan 2003 06:13:41 -0800 (PST) Received: from smtp.a1poweruser.com (oh-chardon6a-34.clvhoh.adelphia.net [68.169.105.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 40DA643F43 for ; Thu, 30 Jan 2003 06:13:41 -0800 (PST) (envelope-from barbish@a1poweruser.com) Received: from barbish (unknown [10.0.10.6]) by smtp.a1poweruser.com (Postfix) with SMTP id E515F31; Thu, 30 Jan 2003 09:21:43 -0500 (EST) Reply-To: From: "JoeB" To: "Nick Rogness" , "Simon L. Nielsen" Cc: Subject: RE: Error in ipfw manpage for stateful rules? Date: Thu, 30 Jan 2003 09:13:39 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20030129191619.E69407-100000@skywalker.rogness.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG That is not the only thing wrong with the example. IPFW with NATD does not function with keep-state rules. Just read the IPFW-list archives back through 1/2002 and you will get a very clear picture of the problem. Don't you think it's about time NATD gets fixed or you say some thing in the examples about this problem. Divorcing the built in divert natd rule from IPFW and making the NAT function a standalone function would be the simplest fix. -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Nick Rogness Sent: Wednesday, January 29, 2003 9:25 PM To: Simon L. Nielsen Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Error in ipfw manpage for stateful rules? On Wed, 29 Jan 2003, Simon L. Nielsen wrote: > > Hello > > The ipfw man page for stateful rules has two examples. Shouldn't the > allow rule have a keep-state keyword ? > > So > > ipfw add check-state > ipfw add allow tcp from my-subnet to any setup > ipfw add deny tcp from any to any > > is changed to > > ipfw add check-state > ipfw add allow tcp from my-subnet to any setup keep-state > ipfw add deny tcp from any to any > > And similar for udp. I just verified that you are correct. I wasn't sure if setup implied keep-state or not (don't know why it would). I just typed it in and you definetly need the keep-state keyword with the rule. I did a quick search for this mentioned in the PR database and didn't find a match. Do a more thorough check and make sure someone has not already submitted a PR for this, then submit a PR. Or if not, I can. Nick Rogness - How many people here have telekenetic powers? Raise my hand. -Emo Philips To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 30 7:22:37 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C229837B401 for ; Thu, 30 Jan 2003 07:22:35 -0800 (PST) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 2334D43F75 for ; Thu, 30 Jan 2003 07:22:35 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 754 invoked from network); 30 Jan 2003 15:22:34 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 30 Jan 2003 15:22:34 -0000 Message-ID: <3E394339.6080201@tenebras.com> Date: Thu, 30 Jan 2003 07:22:33 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.2b) Gecko/20021016 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: barbish@a1poweruser.com Cc: Nick Rogness , "Simon L. Nielsen" , freebsd-ipfw@FreeBSD.ORG Subject: Re: Error in ipfw manpage for stateful rules? References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG JoeB wrote: > That is not the only thing wrong with the example. > IPFW with NATD does not function with keep-state rules. Oh, but it does. It just requires the right set of rules. This is oft-discussed, and is not a design defect but a consequence of using two different types of stateful mechanism. I myself use stateful rules and natd -- some of the ruleset is quite non-intuitive. > Just read the IPFW-list archives back through 1/2002 and you will > get a very clear picture of the problem. I believe that, if you go further back in the archives, you'll see I was laboring under the same misunderstanding. Here's an example: pub_hosts=outside IP addr list / public net prv_net= rfc1918 addrs / private net oif= outside if iif= inside if $fw add 02100 set 0 divert natd ip from any to any via $oif $fw add 02200 set 0 check-state $fw add 02400 set 0 allow ip from $pub_hosts to any out xmit $oif $fw add 02450 set 0 deny tcp from any to any established $fw add 03300 set 0 allow tcp from $prv_net to any in via $iif keep-state setup $fw add 03400 set 0 allow udp from $prv_net to any keep-state $fw add 03500 set 0 allow icmp from $prv_net to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 30 8:18:55 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9980B37B401 for ; Thu, 30 Jan 2003 08:18:49 -0800 (PST) Received: from smtp.a1poweruser.com (oh-chardon6a-34.clvhoh.adelphia.net [68.169.105.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 776FE43F3F for ; Thu, 30 Jan 2003 08:18:48 -0800 (PST) (envelope-from barbish@a1poweruser.com) Received: from barbish (unknown [10.0.10.6]) by smtp.a1poweruser.com (Postfix) with SMTP id C222B31; Thu, 30 Jan 2003 11:26:46 -0500 (EST) Reply-To: From: "JoeB" To: "Willie Viljoen" Cc: Subject: RE: Error in ipfw manpage for stateful rules? Date: Thu, 30 Jan 2003 11:18:40 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <200301301630.19610.will@unfoldings.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Well I think you make my point for me very well by pointing out that net.inet.ip.fw.one_pass=0 and the NATD option -d are necessary to get it to function correctly. And I must again point out that no where are these additional keep-state requirements documented. This is the part that is missing from the documentation when talking about IPFW / NATD with keep-state rules. Where in the IPFW documentation is this stated, and shouldn't there be an example of this method included in FBSD? >Now, to make this work properly, you should force packets diverted to natd >and re-injected into the chain to continue, instead of just being passed on. >To do this, set the net.inet.ip.fw.one_pass sysctl to 0, by putting this in >/etc/sysctl.conf: > >net.inet.ip.fw.one_pass=0 Rules 10 & 20 in the below example are for your transparent squid proxy and can be deleted if I an not using squid proxy correct? And I must still point out that my statement is still true. That keep-state rules do not function correctly in IPFW/NATD. -----Original Message----- From: Willie Viljoen [mailto:will@phoenix.home.laserfence.net]On Behalf Of Willie Viljoen Sent: Thursday, January 30, 2003 9:30 AM To: barbish@a1poweruser.com Cc: freebsd-ipfw@freebsd.org Subject: Re: Error in ipfw manpage for stateful rules? On Thursday 30 January 2003 16:13, JoeB wrote: > That is not the only thing wrong with the example. > IPFW with NATD does not function with keep-state rules. It doesn't? That's an extremely inacurate statement. Perhaps you should reevaluate your configuration, I refer to this example, which is currently working on many production firewall/NAT machines with my clients and in my own offices, this example also has a transparent squid proxy, and assumes the system is using a PPP connection to the internet, but it can also be ethernet (or any other interface): -f flush add 00010 skipto 00030 tcp from me to any 80 add 00020 fwd 127.0.0.1,3128 tcp from any to any 80 add 00030 divert natd tcp from any to any via ppp0 add 00040 check-state add 00050 allow ip from any to any out keep-state add 00060 allow ip from 192.168.0.0/24 to any out keep-state add 00070 allow icmp from any to any icmptypes 0,3,4,8,11,12,13,14 add 00080 reset tcp from any to me 113 add 00090 unreach port udp from any to any 33434-33523 add 65534 deny log ip from any to any This allows all traffic from the local machine (including localhost), and from the local network 192.168.0.*. It also forward packets via a properly configured transparent squid proxy. Needed ICMP packets are allowed through. and ident requests and traceroutes from the outside are deflected. All packets not deflected or let through are logged. Now, to make this work properly, you should force packets diverted to natd and reinjected into the chain to continue, instead of just being passed on. To do this, set the net.inet.ip.fw.one_pass sysctl to 0, by putting this in /etc/sysctl.conf: net.inet.ip.fw.one_pass=0 And, for the current session, at the command line: sysctl net.inet.ip.fw.one_pass=0 Now, launch natd as such. This assumes the PPP interface has a static IP (10.0.1.27). If it's a dynamic dial-up, start it from /etc/ppp/ip-up and use the -n switch instead. For this example, in /etc/rc.conf: natd_enable="YES" natd_flags="-d -s -m -u -a 10.0.1.27 -punch_fw 10000:10000" And from the command line, for the current session: /sbin/natd -d -s -m -u -a 10.0.1.27 -punch_fw 10000:10000 To start natd appropriately from /etc/ppp/ip-up: /sbin/natd -d -s -m -u -n ppp0 -punch_fw 10000:10000 Finally, you also need (obviously) these settings in /etc/rc.conf for this example to function properly: gateway_enable="YES" firewall_enable="YES" firewall_type="/etc/ipfw.conf" After all of this has been set up, all traffic passing through the NAT interface will be passed to natd. After the address translation has been done, it is passed back to the ipfw rule chain sothat other rules (including stateful rules) can inspect the packets. The -punch_fw 10000:10000 switch to natd tells natd that it may inject its own dynamic (stateful) rules into the firewall between rules 10000 and 20000. The -d switch sets natd to block any non-natted (unknown) connection passed to it. This example *DOES* work, so I do not see how you can claim that natd and ipfw stateful rules can not work together. Got my two cents Will > Just read the IPFW-list archives back through 1/2002 and you will > get a very clear picture of the problem. > Don't you think it's about time NATD gets fixed or you say some > thing in the examples about this problem. > Divorcing the built in divert natd rule from IPFW and making the NAT > function > a standalone function would be the simplest fix. > > > > -----Original Message----- > From: owner-freebsd-ipfw@FreeBSD.ORG > [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Nick Rogness > Sent: Wednesday, January 29, 2003 9:25 PM > To: Simon L. Nielsen > Cc: freebsd-ipfw@FreeBSD.ORG > Subject: Re: Error in ipfw manpage for stateful rules? > > On Wed, 29 Jan 2003, Simon L. Nielsen wrote: > > Hello > > > > The ipfw man page for stateful rules has two examples. Shouldn't > > the > > > allow rule have a keep-state keyword ? > > > > So > > > > ipfw add check-state > > ipfw add allow tcp from my-subnet to any setup > > ipfw add deny tcp from any to any > > > > is changed to > > > > ipfw add check-state > > ipfw add allow tcp from my-subnet to any setup keep-state > > ipfw add deny tcp from any to any > > > > And similar for udp. > > I just verified that you are correct. I wasn't sure if > setup > implied keep-state or not (don't know why it would). I just > typed > it in and you definetly need the keep-state keyword with the > rule. > > I did a quick search for this mentioned in the PR database > and > didn't find a match. Do a more thorough check and make sure > someone has not already submitted a PR for this, then > submit a PR. Or if not, I can. > > > Nick Rogness > - > How many people here have telekenetic powers? Raise my hand. > -Emo Philips > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message -- Willie Viljoen Freelance IT Consultant 214 Paul Kruger Avenue, Universitas Bloemfontein 9321 South Africa +27 51 522 15 60 +27 51 522 44 36 (after hours) +27 82 404 03 27 (mobile) will@unfoldings.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 30 9:11:10 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 840B537B401 for ; Thu, 30 Jan 2003 09:10:56 -0800 (PST) Received: from smtp.a1poweruser.com (oh-chardon6a-34.clvhoh.adelphia.net [68.169.105.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id F067D43F75 for ; Thu, 30 Jan 2003 09:10:53 -0800 (PST) (envelope-from barbish@a1poweruser.com) Received: from barbish (unknown [10.0.10.6]) by smtp.a1poweruser.com (Postfix) with SMTP id F3F8E31; Thu, 30 Jan 2003 12:18:57 -0500 (EST) Reply-To: From: "JoeB" To: "Michael Sierchio" Cc: "Nick Rogness" , "Simon L. Nielsen" , Subject: RE: Error in ipfw manpage for stateful rules? Date: Thu, 30 Jan 2003 12:10:51 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <3E394339.6080201@tenebras.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Nice little rule set, but without explanation of what each rule is suppose to be doing and at what timing do that take effect, your sample rule set does not convey any insight into how it works. What interface is the dynamic rules being built on? Internal Nic ip addresses or external Nic ip address. And this is a let everything pass example. What good is it as a real world working example when most firewall users deny all in and out except those protocol / port combinations that only allow desired functions. Your example is a very poor one. S again I state that the documentation for keep-state rules using IPFW/NATD do not contain the information to create an fully enabled keep-state firewall using the IPFW/NATD function. Here is my IPFW rules which function perfectly when I use user ppp -nat to do the NAT function out side of IPFW and when I stop using PPP -NAT and use IPFW/NATD with the same rule set including the divert natd rule 200 being uncommented it stops working. This should not be. So show my how your example can be made to be restrictive like my rules are. #################################################################### ####### # # Define IPFW firewall rules for gateway.a1poweruser.com # 2/15/2002 Joe Barbish # # User ppp tun0 dial out to ISP with dynamic IP addresses assigned. # User ppp tun1 dial in to this box with dynamic IP addresses assigned # User ppp tun2 dial in to this box with dynamic IP addresses assigned # User ppp nat used. Private Ip address used inside. # 3 win98 boxes on LAN with static IP address hard coded. # Protect the whole private network from loss of service attacks # These rules can be reloaded with out rebooting by issuing this command # sh /etc/ipfw.stdrules # # The use of 'me' in rules means IP address 127.0.0.0 localhost # # Firewall Policy Statement. # All packet traffic originating behind this firewall not requiring access # to the public internet is exempt from these firewall rules. # # Each public internet function must be explicitly allowed by a rule. # Only valid response to the packets I've sent out are allowed in. # All packets must use the IPFW advanced "dynamic" rules function. # No state-less rules or simple-stateful rules are allowed. #################################################################### ######### # Flush out the list before we begin. /sbin/ipfw -q -f flush # Set rules command prefix # The -q option on the command is for quite mode. # Do not display rules as they load. Remove during development to see. cmd="/sbin/ipfw -q add" # Set defaults # set these to your outside interface network and netmask and ip # for dynamic IP address from ISP use there range oif="tun0" odns1="208.206.15.11" # ISP's dns server 1 IP address odns2="208.206.15.12" # ISP's dns server 2 IP address oisp="208.206.15.4" # Mangobay ISP router issueing rip oip="63.70.155.25/24" # For testing dial isp from standalone pc and # access this FBSD box over the internet. # This value is the dynamic IP address range # issued by ISP. oip is in inbound section # statments to only allow inbound access from me. # /24 means 63.70.155.1 thru 63.70.155.256 # Set these to your inside interface network and ip address range iif="xl0" # Nic card iip="10.0.10.2/29" # Private IP address range on Nic card # /29 means 10.0.10.1 thru 10.0.10.08 # 10.0.10.2 Lan Nic card # 10.0.10.5 Lan Windows98 machine1 iip2="10.0.0.1/29" # Private IP address range for dial in # /29 means 10.0.0.1 thru 10.0.10.08 # 10.0.0.2 User PPP Dialin Host # 10.0.0.5 User PPP Dialin Windows98 machine1 # This is the start of the rules. # All traffic coming in from the internet or # leaving the local LAN start here # Handle Mangobay router 520 rip request $cmd 00002 deny udp from $oisp 520 to me in via $oif #*** TESTING PURPOSES ONLY *** TESTING PURPOSES ONLY *** TESTING PURPOSES ONLY # The following rule if un-commented will change the behaviour of this # FireWall rule set from closed to completely open, thus bypassing all of the # following rules. This single rule is placed here for TESTING PURPOSES ONLY. #$cmd 00005 allow all from any to any via xl0 #$cmd 00006 allow log logamount 200 all from any to any # Internal gateway housekeeping # Rules # 100 - 130 exempt everything behind the firewall from this rules set. # Rules # 150 & 160 deny the reference to the localhost default IP address. $cmd 00100 allow all from any to any via lo0 # allow all localhost $cmd 00110 allow all from any to any via xl0 # allow all local LAN $cmd 00120 allow all from any to any via tun1 # allow all dialin call 1 $cmd 00130 allow all from any to any via tun2 # allow all dialin call 2 $cmd 00150 deny all from any to 127.0.0.0/8 # deny use of localhost IP $cmd 00160 deny all from 127.0.0.0/8 to any # deny use of localhost IP #$cmd 00200 divert natd all from any to any via tun0 ######## control section ############################################ # Start of IPFW advanced Stateful Filtering using "dynamic" rules. # The check-state statment behaviour is to match bidirectional packet traffic # flow between source and destination using protocol/IP/port/sequance number. # The dynamic rule has a limited lifetime which is controlled by a set of # sysctl(8) variables. The lifetime is refreshed every time a matching # packet is found in the dynamic table. # Allow the packet through if it has previous been added to the # the "dynamic" rules table by an allow keep-state statement. $cmd 00500 check-state # Deny & log all fragments as bogus packets $cmd 00502 deny log all from any to any frag # Deny & log ACK packets that did not match the dynamic rule table $cmd 00501 deny log tcp from any to any established ######## outbound section ############################################ # Interrogate packets originating from behind the firewall, private net. # Upon a rule match, it's keep-state option will create a dynamic rule. # Allow out www function $cmd 00600 allow tcp from any to any 80 out via $oif setup keep-state # Allow lan winbox access to FBSD Apache13/Frontpage Server $cmd 00601 allow tcp from $iip to any 80 out via $oif setup keep-state # Allow out access to my ISP's Domain name server. $cmd 00610 allow tcp from any to $odns1 53 out via $oif setup keep-state $cmd 00611 allow udp from any to $odns1 53 out via $oif keep-state $cmd 00615 allow tcp from any to $odns2 53 out via $oif setup keep-state $cmd 00616 allow udp from any to $odns2 53 out via $oif keep-state # Allow out access to internet Domain name server. $cmd 00618 allow tcp from any to any 53 out via $oif setup keep-state $cmd 00619 allow udp from any to any 53 out via $oif keep-state # Allow out send & get email function $cmd 00630 allow tcp from any to any 25,110 out via $oif setup keep-state # Allow out & in FBSD (make install & CVSUP) functions # Basically give user id root "GOD" priveledges. $cmd 00640 allow tcp from me to any out via $oif setup keep-state uid root #$cmd 00641 allow tcp from any to me in via $oif setup keep-state uid root # Allow out & in console traceroot command $cmd 00642 allow udp from me to any 33435-33500 out via $oif keep-state $cmd 00643 allow icmp from any to me icmptype 3,11 in via $oif limit src-addr 2 # Allow out ping $cmd 00650 allow icmp from any to any out via $oif keep-state # Allow out FTP control channel & in of data channel $cmd 00671 allow tcp from any to any 21 out via $oif setup keep-state # Allow in FTP data channel to Lan ip range $cmd 00672 allow tcp from any 20 to $iip 1024-49151 in via $oif setup keep-state # Allow in FTP data channel to Dialin users ip range $cmd 00673 allow tcp from any 20 to $iip2 1024-49151 in via $oif setup keep-state # Allow out ssh #$cmd 00680 allow tcp from any to any 22 out via $oif setup keep-state # Allow out TELNET $cmd 00690 allow tcp from any to any 23 out via $oif setup keep-state # Allow out Network Time Protocol (NTP) queries #$cmd 00694 allow tcp from any to any 123 out via $oif setup keep-state #$cmd 00695 allow udp from any to any 123 out via $oif keep-state # Allow out Time $cmd 00696 allow tcp from any to any 37 out via $oif setup keep-state $cmd 00697 allow udp from any to any 37 out via $oif keep-state # Allow out ident #$cmd 00700 allow tcp from any to any 113 out via $oif setup keep-state #$cmd 00701 allow udp from any to any 113 out via $oif keep-state # Allow out IRC #$cmd 00710 allow tcp from any to any 194 out via $oif setup keep-state #$cmd 00711 allow udp from any to any 194 out via $oif keep-state # Allow out whois $cmd 00712 allow tcp from any to any 43 out via $oif setup keep-state $cmd 00713 allow udp from any to any 43 out via $oif keep-state # Allow out whois++ #$cmd 00715 allow tcp from any to any 63 out via $oif setup keep-state #$cmd 00716 allow udp from any to any 63 out via $oif keep-state # Allow out finger #$cmd 00720 allow tcp from any to any 79 out via $oif setup keep-state #$cmd 00721 allow udp from any to any 79 out via $oif keep-state # Allow out nntp news #$cmd 00725 allow tcp from any to any 119 out via $oif setup keep-state #$cmd 00726 allow udp from any to any 119 out via $oif keep-state # Allow out gopher #$cmd 00730 allow tcp from any to any 70 out via $oif setup keep-state #$cmd 00731 allow udp from any to any 70 out via $oif keep-state # Allow out pcANYwhere software product # Can Only call out can not receive incomming calls because of private # IP address on Lan. #$cmd 00740 allow udp from $iip to any 22,5632 out via $oif keep-state #$cmd 00741 allow tcp from $iip to any 5631 out via $oif setup keep-state ######## inbound section ############################################ # Interrogate packets originating from in front of the firewall, public net. # Place statments here to allow public requests for service. # The ${oip} holds the dynamic ip address range that both this FBSD box and # the standalong pc I use for testing logs into, so the result is only I can # gain public access from the internet to these functions. # Allow in www $cmd 00800 allow tcp from $oip to any 80 in via $oif setup keep-state limit src-addr 4 # Allow TCP FTP control channel in & data channel out $cmd 00810 allow tcp from $oip to me 21 in via $oif setup keep-state limit src-addr 4 $cmd 00811 allow tcp from $oip 20 to any 1024-49151 out via $oif setup keep limit src-addr 4 # Allow in ssh function #$cmd 00820 allow log tcp from $oip to me 22 in via $oif setup keep-state limit src-addr 4 # Allow in Telnet $cmd 00830 allow tcp from $oip to me 23 in via $oif setup keep-state limit src-addr 4 # This sends a RESET to all ident packets. $cmd 00840 reset log tcp from any to me 113 in via $oif limit src-addr 4 # Stop & log external redirect requests. $cmd 00845 deny log icmp from any to any icmptype 5 in via $oif # Stop & log spoofing Attack attempts. # Examine incoming traffic for packets with both a source and destination # IP address in my local domain as per CIAC prevention alert. $cmd 00850 deny log ip from me to me in via $oif # Stop & log ping echo attacks # stop echo reply (ICMP type 0), and echo request (type 8). $cmd 00860 deny log icmp from any to me icmptype 0,8 in via $oif # Reject & Log all setup of tcp incoming connections from the outside $cmd 00900 deny log tcp from any to any setup in via $oif # Reject & Log all netbios Name service $cmd 00910 deny log tcp from any to any 137 in via $oif $cmd 00911 deny log udp from any to any 137 in via $oif #delta force game (not working yet) $cmd 00912 allow udp from $iip to any 3568,3569 out via $oif keep-state $cmd 00913 allow udp from 65.214.130.47 1436 to $iip in via $oif keep-state $cmd 00914 allow tcp from 208.231.90.229 80 to $iip in via $oif keep-state $cmd 00915 allow tcp from $iip to 208.231.90.229 80 out via $oif keep-state # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 00950 deny log all from any to any -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Michael Sierchio Sent: Thursday, January 30, 2003 10:23 AM To: barbish@a1poweruser.com Cc: Nick Rogness; Simon L. Nielsen; freebsd-ipfw@FreeBSD.ORG Subject: Re: Error in ipfw manpage for stateful rules? JoeB wrote: > That is not the only thing wrong with the example. > IPFW with NATD does not function with keep-state rules. Oh, but it does. It just requires the right set of rules. This is oft-discussed, and is not a design defect but a consequence of using two different types of stateful mechanism. I myself use stateful rules and natd -- some of the ruleset is quite non-intuitive. > Just read the IPFW-list archives back through 1/2002 and you will > get a very clear picture of the problem. I believe that, if you go further back in the archives, you'll see I was laboring under the same misunderstanding. Here's an example: pub_hosts=outside IP addr list / public net prv_net= rfc1918 addrs / private net oif= outside if iif= inside if $fw add 02100 set 0 divert natd ip from any to any via $oif $fw add 02200 set 0 check-state $fw add 02400 set 0 allow ip from $pub_hosts to any out xmit $oif $fw add 02450 set 0 deny tcp from any to any established $fw add 03300 set 0 allow tcp from $prv_net to any in via $iif keep-state setup $fw add 03400 set 0 allow udp from $prv_net to any keep-state $fw add 03500 set 0 allow icmp from $prv_net to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 30 10:32:27 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B31037B401 for ; Thu, 30 Jan 2003 10:32:26 -0800 (PST) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id B14D343E4A for ; Thu, 30 Jan 2003 10:32:25 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 1210 invoked from network); 30 Jan 2003 18:32:24 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 30 Jan 2003 18:32:24 -0000 Message-ID: <3E396FB5.90406@tenebras.com> Date: Thu, 30 Jan 2003 10:32:21 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.2b) Gecko/20021016 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: barbish@a1poweruser.com Cc: Nick Rogness , "Simon L. Nielsen" , freebsd-ipfw@FreeBSD.ORG Subject: Re: Error in ipfw manpage for stateful rules? References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG JoeB wrote: > > S again I state that the documentation for keep-state rules using > IPFW/NATD do not contain the information to create an fully enabled > keep-state firewall using the IPFW/NATD function. There are subtleties in integrating natd and stateful ipfirewall rules, and these aren't covered in the examples. It's fairly easy to see where the difficulty is, though, if you understand how the stateful rules work -- they are looking for SYN/ACK and ACK packets that match the parent rule, so take care when rewriting addresses so you get matching packets! It may be that you need to use skipto rules to separate inbound and outbound packets. Also note: it is documented but frequently forgotten that nat'd packets, or any packets passed via DIVERT, lose information -- such as which interface the packet was received on. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 30 11:44:21 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3563237B401 for ; Thu, 30 Jan 2003 11:44:19 -0800 (PST) Received: from smtp.a1poweruser.com (oh-chardon6a-34.clvhoh.adelphia.net [68.169.105.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 450C743E4A for ; Thu, 30 Jan 2003 11:44:18 -0800 (PST) (envelope-from barbish@a1poweruser.com) Received: from barbish (lanwin2 [10.0.10.6]) by smtp.a1poweruser.com (Postfix) with SMTP id 9AF391E6; Thu, 30 Jan 2003 14:52:20 -0500 (EST) Reply-To: From: "JoeB" To: "Michael Sierchio" Cc: "Nick Rogness" , "Simon L. Nielsen" , Subject: RE: Error in ipfw manpage for stateful rules? Date: Thu, 30 Jan 2003 14:44:16 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <3E396FB5.90406@tenebras.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG OK thanks for admitting that the subtleties in integrating natd and stateful ipfirewall rules, aren't covered in the examples. Also this little quote from your email response "Also note: it is documented but frequently forgotten that nat'd packets, or any packets passed via DIVERT, lose information -- such as which interface the packet was received on." Causes me a great amount of concern. I would think the divert code needs to be fixed to correct this problem, why has it not be corrected. I believe the subject to this thread is dealing with changing the examples and documentation to deal with getting IPFW/NATD/KEEP-STATE rules to play together correctly. So how about you helping me develop an example rules set that works. As you can see I have 2 conversations running under this subject. The other one has my keep-state rules file that works perfectly when used with user ppp -nat so the nat function is done outside of IPFW. But when the same rules set is used with the divert rule added all of a sudden it no longer works because packets no longer match the dynamic rules that were built. Are you willing to give me a hand to correct this oversight to the IPFW documentation and examples. -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Michael Sierchio Sent: Thursday, January 30, 2003 1:32 PM To: barbish@a1poweruser.com Cc: Nick Rogness; Simon L. Nielsen; freebsd-ipfw@FreeBSD.ORG Subject: Re: Error in ipfw manpage for stateful rules? JoeB wrote: > > S again I state that the documentation for keep-state rules using > IPFW/NATD do not contain the information to create an fully enabled > keep-state firewall using the IPFW/NATD function. There are subtleties in integrating natd and stateful ipfirewall rules, and these aren't covered in the examples. It's fairly easy to see where the difficulty is, though, if you understand how the stateful rules work -- they are looking for SYN/ACK and ACK packets that match the parent rule, so take care when rewriting addresses so you get matching packets! It may be that you need to use skipto rules to separate inbound and outbound packets. Also note: it is documented but frequently forgotten that nat'd packets, or any packets passed via DIVERT, lose information -- such as which interface the packet was received on. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 30 13:42:48 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F22A537B401 for ; Thu, 30 Jan 2003 13:42:47 -0800 (PST) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 5241543F3F for ; Thu, 30 Jan 2003 13:42:47 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 1741 invoked from network); 30 Jan 2003 21:42:46 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 30 Jan 2003 21:42:46 -0000 Message-ID: <3E399C53.3030406@tenebras.com> Date: Thu, 30 Jan 2003 13:42:43 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.2b) Gecko/20021016 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: barbish@a1poweruser.com Cc: Nick Rogness , "Simon L. Nielsen" , freebsd-ipfw@FreeBSD.ORG Subject: Re: Error in ipfw manpage for stateful rules? References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG JoeB wrote: > ... Also this little quote from your > email response "Also note: it is documented but frequently > forgotten that nat'd packets, or any packets passed via DIVERT, lose > information -- such as which interface the packet was received on." > Causes me a great amount of concern. I would think the divert code > needs to be fixed to correct this problem It's a feature, not a bug. Since the process listening on the divert socket can morph the packet into anything, there's simply no way of knowing where it arrived. > Are you willing to give me a hand to correct this > oversight to the IPFW documentation and examples. The man page(s) need a rewrite, to be sure. I think the examples should be moved out of the man page and put in /usr/share/examples/ipfw... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 30 14: 3:45 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4C0337B401 for ; Thu, 30 Jan 2003 14:03:43 -0800 (PST) Received: from smtp.a1poweruser.com (oh-chardon6a-34.clvhoh.adelphia.net [68.169.105.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27CC643F75 for ; Thu, 30 Jan 2003 14:03:43 -0800 (PST) (envelope-from barbish@a1poweruser.com) Received: from barbish (lanwin2 [10.0.10.6]) by smtp.a1poweruser.com (Postfix) with SMTP id 2C5D91EF; Thu, 30 Jan 2003 17:11:45 -0500 (EST) Reply-To: From: "JoeB" To: "Michael Sierchio" Cc: "Nick Rogness" , "Simon L. Nielsen" , Subject: RE: Error in ipfw manpage for stateful rules? Date: Thu, 30 Jan 2003 17:03:40 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <3E399C53.3030406@tenebras.com> Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG You did not answer my question > Are you willing to give me a hand to correct this > oversight to the IPFW documentation and examples. I will do the testing of the rules sets and write the rough draft explaining what the rules are doing, you help me get a rules coding logic that works correctly and review my rough draft for final placement where ever in FBSD. This offer also goes out to the other people who read the IPFW list. -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Michael Sierchio Sent: Thursday, January 30, 2003 4:43 PM To: barbish@a1poweruser.com Cc: Nick Rogness; Simon L. Nielsen; freebsd-ipfw@FreeBSD.ORG Subject: Re: Error in ipfw manpage for stateful rules? JoeB wrote: > ... Also this little quote from your > email response "Also note: it is documented but frequently > forgotten that nat'd packets, or any packets passed via DIVERT, lose > information -- such as which interface the packet was received on." > Causes me a great amount of concern. I would think the divert code > needs to be fixed to correct this problem It's a feature, not a bug. Since the process listening on the divert socket can morph the packet into anything, there's simply no way of knowing where it arrived. > Are you willing to give me a hand to correct this > oversight to the IPFW documentation and examples. The man page(s) need a rewrite, to be sure. I think the examples should be moved out of the man page and put in /usr/share/examples/ipfw... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 30 14:48:32 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33F1B37B401 for ; Thu, 30 Jan 2003 14:48:31 -0800 (PST) Received: from accord.grasslake.net (accord.grasslake.net [209.98.56.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5AA5B43E4A for ; Thu, 30 Jan 2003 14:48:30 -0800 (PST) (envelope-from swb@grasslake.net) Received: from swbgx150 (honda.grasslake.net [192.168.1.1]) by accord.grasslake.net (8.12.6/8.12.6) with SMTP id h0UMV1oE018577 for ; Thu, 30 Jan 2003 16:31:02 -0600 (CST) (envelope-from swb@grasslake.net) Message-ID: <01a601c2c8b1$d8be6c40$62229fc0@ad.campbellmithun.com> From: "Shawn Barnhart" To: References: <3E399C53.3030406@tenebras.com> Subject: Re: Error in ipfw manpage for stateful rules? Date: Thu, 30 Jan 2003 16:49:28 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ----- Original Message ----- From: "Michael Sierchio" > > > Are you willing to give me a hand to correct this > > oversight to the IPFW documentation and examples. > > The man page(s) need a rewrite, to be sure. I think the examples > should be moved out of the man page and put in /usr/share/examples/ipfw... I'd love to see a lot more examples of the many ipfw features, especially if they illustrate common uses or setups. I know it gets exponentially complicated as you mix features on a common box, so it might be best if there were more examples with smaller combinations rather than one huge example that combines dummynet, filtering, nat, transparent proxy and bridging into one mind-twisting example. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 30 16:43:16 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5E4937B401 for ; Thu, 30 Jan 2003 16:43:14 -0800 (PST) Received: from rose.csi.cam.ac.uk (rose.csi.cam.ac.uk [131.111.8.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11E6243F75 for ; Thu, 30 Jan 2003 16:43:14 -0800 (PST) (envelope-from sa264@cam.ac.uk) Received: from m218-3.phy.cam.ac.uk ([131.111.79.217]) by rose.csi.cam.ac.uk with esmtp (Exim 4.10) id 18ePGw-0004EN-00; Fri, 31 Jan 2003 00:43:10 +0000 Received: from localhost ([::1]) by m218-3.phy.cam.ac.uk with esmtp (Exim 4.12) id 18ePGw-0000fq-00; Fri, 31 Jan 2003 00:43:10 +0000 Date: Fri, 31 Jan 2003 00:43:10 +0000 From: AMAKAWA Shuhei To: Cc: "Willie Viljoen" , Subject: Re: Error in ipfw manpage for stateful rules? In-Reply-To: References: <200301301630.19610.will@unfoldings.net> MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen") Content-Type: text/plain; charset=US-ASCII Message-Id: Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At Thu, 30 Jan 2003 11:18:40 -0500, JoeB wrote: > > Well I think you make my point for me very well by pointing out that > net.inet.ip.fw.one_pass=0 and the NATD option -d are necessary > to get it to function correctly. No. It is possible to do stateful ipfw+natd without net.inet.ip.fw.one_pass=0 and natd -d, although it's not so obvious. Some hint is in the message which I posted several days ago. The fact that you don't know how doesn't mean it's impossible. > And I must again point out that no > where > are these additional keep-state requirements documented. Yes, but that's a separate issue. > This is the part that is missing from the documentation when talking > about > IPFW / NATD with keep-state rules. > Where in the IPFW documentation is this stated, and shouldn't there > be > an example of this method included in FBSD? Absolutely. It will be nicer if there are more tutorial stuff that goes over such subtleties. > And I must still point out that my statement is still true. > That keep-state rules do not function correctly in IPFW/NATD. not true To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jan 30 23:58:31 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CDB437B401 for ; Thu, 30 Jan 2003 23:58:30 -0800 (PST) Received: from rose.csi.cam.ac.uk (rose.csi.cam.ac.uk [131.111.8.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8C0643F79 for ; Thu, 30 Jan 2003 23:58:29 -0800 (PST) (envelope-from sa264@cam.ac.uk) Received: from m218-3.phy.cam.ac.uk ([131.111.79.217]) by rose.csi.cam.ac.uk with esmtp (Exim 4.10) id 18eW4C-00088r-00; Fri, 31 Jan 2003 07:58:28 +0000 Received: from localhost ([::1]) by m218-3.phy.cam.ac.uk with esmtp (Exim 4.12) id 18eW4B-0000s1-00; Fri, 31 Jan 2003 07:58:28 +0000 Date: Fri, 31 Jan 2003 07:58:27 +0000 From: AMAKAWA Shuhei To: freebsd-ipfw@FreeBSD.ORG Cc: Sergey Klusov Subject: Re: ipfw2 In-Reply-To: <124904071.20030130102535@geoseis.t72.ru> References: <124904071.20030130102535@geoseis.t72.ru> MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen") Content-Type: text/plain; charset=US-ASCII Message-Id: Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At Thu, 30 Jan 2003 10:25:35 +0500, Sergey Klusov wrote: > > ipfw add 50 divert natd all from any to any via ${extif} > ipfw add 100 check-state > ipfw add 200 deny log tcp from any to any established > ipfw add 300 permit tcp from any to any setup > > almost always there is a logged message like this, WHEN the connection > terminates > Everything works fine but full log of this: > > Jan 10 12:04:24 tower /kernel: ipfw: 200 Deny TCP 217.66.99.188:80 193.111.x.x:1147 in via rl1 > > i've tried to intercept this packets with tcpdump and figured out, > what those packets logged are TCP packets with FIN flag. And it seems, > that many hosts send multiple FIN packets, wich causes to remove > dynamic rule on first FIN packet and then log that message above on > all subsequent packets. > Also i must notice that it is not diverted packets logged, because we > use squid, which is on the same host. So i doubt what this is a NAT > issue. > > Any ideas? I think you keep-state at 300. Does sysctl net.inet.ip.fw.dyn_fin_lifetime=4 possibly change anything? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jan 31 1: 4: 1 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AFB037B401 for ; Fri, 31 Jan 2003 01:03:59 -0800 (PST) Received: from mail.geoseis.t72.ru (geoseis.t72.ru [193.111.45.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id C638443F3F for ; Fri, 31 Jan 2003 01:03:57 -0800 (PST) (envelope-from shy@geoseis.t72.ru) Received: from leon.geoseis (leon.geoseis [192.168.1.10]) by tower.geoseis.t72.ru (8.12.6/8.11.6) with ESMTP id h0V8wu9l030433 for ; Fri, 31 Jan 2003 13:59:14 +0500 (YEKT) (envelope-from shy@geoseis.t72.ru) Date: Fri, 31 Jan 2003 13:58:56 +0500 From: Sergey Klusov X-Mailer: The Bat! (v1.62 Christmas Edition) Reply-To: freebsd-ipfw@FreeBSD.ORG X-Priority: 3 (Normal) Message-ID: <8817291854.20030131135856@geoseis.t72.ru> To: freebsd-ipfw@FreeBSD.ORG Subject: Re[2]: ipfw2 In-Reply-To: References: <124904071.20030130102535@geoseis.t72.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello AMAKAWA, Friday, January 31, 2003, 12:58:27 PM, you wrote: AS> At Thu, 30 Jan 2003 10:25:35 +0500, AS> Sergey Klusov wrote: >> >> ipfw add 50 divert natd all from any to any via ${extif} >> ipfw add 100 check-state >> ipfw add 200 deny log tcp from any to any established >> ipfw add 300 permit tcp from any to any setup >> >> almost always there is a logged message like this, WHEN the connection >> terminates >> Everything works fine but full log of this: >> >> Jan 10 12:04:24 tower /kernel: ipfw: 200 Deny TCP 217.66.99.188:80 193.111.x.x:1147 in via rl1 >> >> i've tried to intercept this packets with tcpdump and figured out, >> what those packets logged are TCP packets with FIN flag. And it seems, >> that many hosts send multiple FIN packets, wich causes to remove >> dynamic rule on first FIN packet and then log that message above on >> all subsequent packets. >> Also i must notice that it is not diverted packets logged, because we >> use squid, which is on the same host. So i doubt what this is a NAT >> issue. >> >> Any ideas? AS> I think you keep-state at 300. sure it's there, i just forgot to type it in e-mail AS> Does AS> sysctl net.inet.ip.fw.dyn_fin_lifetime=4 AS> possibly change anything? yes but little still many messages -- Best regards, Sergey mailto:shy@geoseis.t72.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jan 31 4:35:58 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 828D737B401 for ; Fri, 31 Jan 2003 04:35:57 -0800 (PST) Received: from mail.geoseis.t72.ru (geoseis.t72.ru [193.111.45.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1404143F3F for ; Fri, 31 Jan 2003 04:35:56 -0800 (PST) (envelope-from shy@geoseis.t72.ru) Received: from leon.geoseis (leon.geoseis [192.168.1.10]) by mail.geoseis.t72.ru (8.12.6/8.11.6) with ESMTP id h0VCZkdD031628 for ; Fri, 31 Jan 2003 17:35:48 +0500 (YEKT) (envelope-from shy@geoseis.t72.ru) Date: Fri, 31 Jan 2003 17:35:46 +0500 From: Sergey Klusov X-Mailer: The Bat! (v1.62 Christmas Edition) Reply-To: Sergey Klusov X-Priority: 3 (Normal) Message-ID: <15030303403.20030131173546@geoseis.t72.ru> To: freebsd-ipfw@FreeBSD.ORG Subject: muliple ips in ipfw2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG rule: ipfw add 0001 allow ip from { 192.168.0.1 or 192.168.0.2 } to any works fine, but ipfw add 0001 allow ip from 192.168.0.0/24{1,2} to any doesn't BUG? -- Best regards, Sergey Klusov To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jan 31 7:17:37 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58AE737B401 for ; Fri, 31 Jan 2003 07:17:36 -0800 (PST) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id D68EC43E4A for ; Fri, 31 Jan 2003 07:17:35 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 3609 invoked from network); 31 Jan 2003 15:17:34 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 31 Jan 2003 15:17:34 -0000 Message-ID: <3E3A938E.6090105@tenebras.com> Date: Fri, 31 Jan 2003 07:17:34 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.2b) Gecko/20021016 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: Sergey Klusov Subject: Re: muliple ips in ipfw2 References: <15030303403.20030131173546@geoseis.t72.ru> In-Reply-To: <15030303403.20030131173546@geoseis.t72.ru> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Sergey Klusov wrote: > rule: > ipfw add 0001 allow ip from { 192.168.0.1 or 192.168.0.2 } to any > works fine, but > ipfw add 0001 allow ip from 192.168.0.0/24{1,2} to any > doesn't > > BUG? > It's fixed in 4.7-STABLE, but didn't work in 4.7-RELEASE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jan 31 9:16:22 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 686ED37B401 for ; Fri, 31 Jan 2003 09:16:21 -0800 (PST) Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9724A43F3F for ; Fri, 31 Jan 2003 09:16:20 -0800 (PST) (envelope-from nick@rogness.net) Received: from skywalker.rogness.net (localhost [127.0.0.1]) by skywalker.rogness.net (8.12.5/8.12.5) with ESMTP id h0VHG6FH073151; Fri, 31 Jan 2003 10:16:06 -0700 (MST) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by skywalker.rogness.net (8.12.5/8.12.5/Submit) with ESMTP id h0VHG3r3073148; Fri, 31 Jan 2003 10:16:04 -0700 (MST) X-Authentication-Warning: skywalker.rogness.net: nick owned process doing -bs Date: Fri, 31 Jan 2003 10:16:01 -0700 (MST) From: Nick Rogness To: JoeB Cc: Michael Sierchio , "Simon L. Nielsen" , Subject: RE: Error in ipfw manpage for stateful rules? In-Reply-To: Message-ID: <20030131101111.D73135-100000@skywalker.rogness.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 30 Jan 2003, JoeB wrote: [SNIP] > I believe the subject to this thread is dealing with changing the > examples and documentation to deal with getting IPFW/NATD/KEEP-STATE > rules to play together correctly. [SNIP] That was not the subject of the original thread. It was an error with ipfw and keep-state in the man page. Where did natd get involved? NAT & IPFW stateful inspection is a whole nother topic. Please use a seperate thread for that conversation. Nick Rogness - How many people here have telekenetic powers? Raise my hand. -Emo Philips To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message