From owner-freebsd-ipfw Sun Mar 16 16:28:34 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7268137B401 for ; Sun, 16 Mar 2003 16:28:33 -0800 (PST) Received: from mail.macteks.com (ns2.macteks.com [209.53.90.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id B852E43F85 for ; Sun, 16 Mar 2003 16:28:32 -0800 (PST) (envelope-from admin@macteks.com) Received: from [69.19.0.1] (account admin@macteks.com HELO macteks.com) by mail.macteks.com (CommuniGate Pro SMTP 3.5.6) with ESMTP id 1375690 for freebsd-ipfw@FreeBSD.ORG; Sun, 16 Mar 2003 16:27:39 -0800 Message-ID: <3E7516A9.47D024A6@macteks.com> Date: Sun, 16 Mar 2003 16:28:26 -0800 From: "Bill Wadsworth (250-539-3196)" Reply-To: admin@macteks.com Organization: Gulf Islands Wireless Network Ltd. X-Mailer: Mozilla 4.74 (Macintosh; U; PPC) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@FreeBSD.ORG Subject: mac and ip filtering in tandem Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello all Wondering if anyone has written anything that will handle authentication based on the matched pair of IP and Mac address. i.e.:) wireless user connects to a bsd powered access point. The user is then authenticated on the mac address and ip address they are using as a pair not independently. This would be similar to using a username and password on a radius ppp connection. Any suggestions on how to accomplish this would be most welcome. I have been playing around with IpFilter and IPFW but the question is how to get the two to work in tandem so that both parameters must match not just one. Thanks in advance. Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 17 0:49:28 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EA3D37B404 for ; Mon, 17 Mar 2003 00:49:27 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CAA143F93 for ; Mon, 17 Mar 2003 00:49:26 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id h2H8nQAq099881; Mon, 17 Mar 2003 00:49:26 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.3/8.12.3/Submit) id h2H8nPVb099880; Mon, 17 Mar 2003 00:49:25 -0800 (PST) (envelope-from rizzo) Date: Mon, 17 Mar 2003 00:49:25 -0800 From: Luigi Rizzo To: "Bill Wadsworth (250-539-3196)" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: mac and ip filtering in tandem Message-ID: <20030317004925.A99313@xorpc.icir.org> References: <3E7516A9.47D024A6@macteks.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3E7516A9.47D024A6@macteks.com>; from admin@macteks.com on Sun, Mar 16, 2003 at 04:28:26PM -0800 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Mar 16, 2003 at 04:28:26PM -0800, Bill Wadsworth (250-539-3196) wrote: > Hello all > > Wondering if anyone has written anything that will handle authentication based on the matched pair > of IP and Mac address. you can match both MAC and IP with ipfw2, if you use it on layer2 packets. cheers luigi > i.e.:) wireless user connects to a bsd powered access point. The user is then authenticated on the > mac address > and ip address they are using as a pair not independently. This would be similar to using a username > > and password on a radius ppp connection. > > Any suggestions on how to accomplish this would be most welcome. I have been playing around with > IpFilter and IPFW but the question is how to get the two to work in tandem so that both parameters > must match not just one. > > Thanks in advance. > > Bill > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 17 7:14:26 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFB4C37B41F; Mon, 17 Mar 2003 07:14:20 -0800 (PST) Received: from mailgw.cscoms.com (mailgw.cscoms.com [202.183.255.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id AAF7944096; Mon, 17 Mar 2003 07:13:49 -0800 (PST) (envelope-from job2546@thaimail.com) Received: from cscoms.com (mail.cscoms.com [202.183.255.23]) by mailgw.cscoms.com (8.12.8/8.12.3) with ESMTP id h2HF1xir061649; Mon, 17 Mar 2003 22:04:16 +0700 (ICT) Received: from ME (dial-144.ras-21.bkk.c.cscoms.com [203.170.145.144]) by cscoms.com (8.12.8/8.12.3) with SMTP id h2HEprwo024862; Mon, 17 Mar 2003 21:51:54 +0700 (GMT) Date: Mon, 17 Mar 2003 21:51:53 +0700 (GMT) Message-Id: <200303171451.h2HEprwo024862@cscoms.com> From: job2546@thaimail.com Subject: "ถ้าคุณยังทำสิ่งที่คุณทำอยู่วันนี้ พรุ่งนี้ก็จะเหมือนวันนี้ X-Priority: 1 (Highest) Reply-To: job2546@thaimail.com X-Mailer: Microsoft Outlook Express 5.00.2615.200 MIME-Version: 1.0 Content-type: multipart/mixed; boundary="#MYBOUNDARY#" X-Virus-Scanned: by amavisd-milter (http://amavis.org/) To: undisclosed-recipients: ; Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --#MYBOUNDARY# Content-Type: text/plain; charset=ansi Content-Transfer-Encoding: 8bit "หากคุณล้มเหลวที่จะวางแผน ย่อมแปลว่าคุณวางแผนที่จะล้มเหลว" จิม โรห์น นักปรัชญาอันดับ 1 ของโลก เช่น คุณคิดว่าในชีวิตนี้เราคงไม่มีทางรวย คุณก็ไจะไม่มีทางรวยเลย หรือ "คุณคิดว่าสักวันถึงฉันต้องรวยแน่ๆ" จิม โรห์น บอกว่า "ถ้าคุณยังทำสิ่งที่คุณทำอยู่ทุกวันนี้ อีก 3 ปีข้างหน้าลองคิดดูว่า คุณจะมีโอกาสรวยได้หรือไม่" "ถ้าคำตอบคือ ใช่ คุณกำลังจะรวย" ก็ยินดีกับคุณด้วยครับคุณกำลังจะรวยแล้ว "แต่ถ้าคำตอบคือ ไม่ คุณไม่สามารถรวยได้" คุณต้องเปลี่ยนอะไรสักอย่างในชีวิตคุณแล้ว จิม โรห์น บอกอีกว่า "ถ้าคุณยังทำสิ่งที่คุณทำอยู่วันนี้ พรุ่งนี้ก็จะเหมือนวันนี้ ไปเรื่อยๆไม่มีที่สิ้นสุด" หมายความว่า -ถ้าวันนี้คุณยังต้องวิ่งหาเงิน จ่ายหนี้ต่างๆ -ถ้าวันนี้คุณยังถูกเจ้านายกดขี่ ใช้งานอย่างหนัก -ถ้าวันนี้คุณยังหาทางออกไม่ได้ ลองเปิดโอกาสให้ตัวเองดู เปิดใจของคุณให้กว้างแล้วเดินตามเรามาหรือปล่อยให้โอกาสนี้หลุดลอยไป ============================================================ คุณสามารถเข้าไปดูรายละเอียดเพิ่มเติมและกรอกข้อมูลเพื่อขอรับข้อมูลเบื้องต้นฟรี ! ได้ที่ http://www.geocities.com/thaigetrich/easywork ============================================================ ขออภัยหากข้อความนี้ถูกส่งไปยังคุณโดยบังเอิญ หากคุณไม่ต้องการรับข้อความนี้อีกกรุณา mail มาที่ www.ecommerce.web1000.com/unsub --#MYBOUNDARY#-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 17 11: 1:33 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E46BB37B401 for ; Mon, 17 Mar 2003 11:01:32 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E716843FA3 for ; Mon, 17 Mar 2003 11:01:31 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h2HJ1VNS011097 for ; Mon, 17 Mar 2003 11:01:31 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h2HJ1VT0011078 for ipfw@freebsd.org; Mon, 17 Mar 2003 11:01:31 -0800 (PST) Date: Mon, 17 Mar 2003 11:01:31 -0800 (PST) Message-Id: <200303171901.h2HJ1VT0011078@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2003/01/05] bin/46785 ipfw [patch] add sets information to ipfw2 -h o [2003/01/15] bin/47120 ipfw [patch] Sanity check in ipfw(8) 3 problems total. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Mar 18 12: 8:35 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FA4637B404 for ; Tue, 18 Mar 2003 12:08:33 -0800 (PST) Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6143F43F75 for ; Tue, 18 Mar 2003 12:08:32 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-89-252.client.attbi.com[12.234.89.252]) by sccrmhc03.attbi.com (sccrmhc03) with ESMTP id <2003031820083100300d9v2be>; Tue, 18 Mar 2003 20:08:31 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.6/8.12.3) with ESMTP id h2IK8Ueq075499; Tue, 18 Mar 2003 12:08:30 -0800 (PST) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.6/8.12.6/Submit) id h2IK8TWb075498; Tue, 18 Mar 2003 12:08:29 -0800 (PST) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 18 Mar 2003 12:08:28 -0800 From: "Crist J. Clark" To: Wiktor Niesiobedzki Cc: freebsd-ipfw@freebsd.org Subject: Re: Prioritizing empty TCP ACKs with ipfw? Message-ID: <20030318200828.GC74853@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20030314085636.GB64326@galgenberg.net> <20030314224655.GA2616@mail.evip.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030314224655.GA2616@mail.evip.pl> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Mar 14, 2003 at 11:46:55PM +0100, Wiktor Niesiobedzki wrote: > On Fri, Mar 14, 2003 at 08:22:36PM +0100, clemens fischer wrote: > > Ulrich Spoerlein : > > > > > I recently read this paper [1] and have to say that I am amazed. Is > > > this possible with ipfw/2 too? If so, how would one set this up? > > > > > > [1] http://www.benzedrine.cx/ackpri.html > > > > if i'm not mistaken, this is available right now with ipfw, see the > > link to luigis dummynet page in the article you cited. > > > With IPFW2 I use currently "iplen 40" option, is there any *better* way, of > selecting empty ACK packet? The amount of data in any given TCP segment is not stored explicitly in the header. It has to be calculated by, segment_data_length = ip_datagram_len - ip_header_len - tcp_offset Given that an IP header is almost always 20-bytes long and the TCP header (offset) is usually 20-bytes, your value makes sense... Unless the TCP header is carrying options, e.g. timestamps. Doing this calculation would be easy enough, but I think your solution is probably sufficient. If any change were to be made, I think changing the 'iplen' option to do "greater-than" and "less-than" checks, rather than just "equals" would be more useful in general. That way, you can catch ACKs with no data, but ones that also have a timestamp option (<53), or sack options (<53, <61, or <68, depending on how many you want to allow). -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Mar 18 13:31:43 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F4AC37B404; Tue, 18 Mar 2003 13:31:37 -0800 (PST) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 913F943FB1; Tue, 18 Mar 2003 13:31:33 -0800 (PST) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 20A8410BF94; Tue, 18 Mar 2003 22:31:32 +0100 (CET) Date: Tue, 18 Mar 2003 22:31:32 +0100 From: "Simon L. Nielsen" To: "Crist J. Clark" Cc: Wiktor Niesiobedzki , freebsd-ipfw@freebsd.org Subject: Re: Prioritizing empty TCP ACKs with ipfw? Message-ID: <20030318213131.GF377@nitro.dk> References: <20030314085636.GB64326@galgenberg.net> <20030314224655.GA2616@mail.evip.pl> <20030318200828.GC74853@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jCrbxBqMcLqd4mOl" Content-Disposition: inline In-Reply-To: <20030318200828.GC74853@blossom.cjclark.org> User-Agent: Mutt/1.5.3i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --jCrbxBqMcLqd4mOl Content-Type: multipart/mixed; boundary="kfjH4zxOES6UT95V" Content-Disposition: inline --kfjH4zxOES6UT95V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.03.18 12:08:28 -0800, Crist J. Clark wrote: > Doing this calculation would be easy enough, but I think your solution > is probably sufficient. If any change were to be made, I think > changing the 'iplen' option to do "greater-than" and "less-than" > checks, rather than just "equals" would be more useful in > general. That way, you can catch ACKs with no data, but ones that also > have a timestamp option (<53), or sack options (<53, <61, or <68, > depending on how many you want to allow). I actually played around with that a few days ago for this exact purpose. See the attached patch for -CURRENT. It adds two options instead of trying to make more complicated parsing of the iplen option with arguments like '<', '>', '>=3D' and so on. iplenmin len Matches IP packets whose total length, including header and da= ta, is minimum len bytes (packet length >=3D len). iplenmax len Matches IP packets whose total length, including header and da= ta, is maximum len bytes (packet length <=3D len). The code have been tested very little (which is the reason I have not bothed this list with it before :) ) but in my simple tests it works fine. Note that the attached patch had to be untagnled from some other code i'm working on so it can be got the wrong parts out but I think it is ok. --=20 Simon L. Nielsen --kfjH4zxOES6UT95V Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipfw2-iplen.patch" Content-Transfer-Encoding: quoted-printable Index: sbin/ipfw/ipfw.8 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sbin/ipfw/ipfw.8,v retrieving revision 1.122 diff -u -d -r1.122 ipfw.8 --- sbin/ipfw/ipfw.8 15 Mar 2003 01:13:00 -0000 1.122 +++ sbin/ipfw/ipfw.8 18 Mar 2003 20:54:22 -0000 @@ -901,6 +901,18 @@ Matches IP packets whose total length, including header and data, is .Ar len bytes. +.It Cm iplenmin Ar len +Matches IP packets whose total length, including header and data, is +minimum +.Ar len +bytes (packet length >=3D +.Ar len ) . +.It Cm iplenmax Ar len +Matches IP packets whose total length, including header and data, is +maximum +.Ar len +bytes (packet length <=3D +.Ar len ) . .It Cm ipoptions Ar spec Matches packets whose IP header contains the comma separated list of options specified in Index: sbin/ipfw/ipfw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.23 diff -u -d -r1.23 ipfw2.c --- sbin/ipfw/ipfw2.c 15 Mar 2003 01:12:59 -0000 1.23 +++ sbin/ipfw/ipfw2.c 18 Mar 2003 20:54:22 -0000 @@ -209,6 +209,8 @@ TOK_FRAG, TOK_IPOPTS, TOK_IPLEN, + TOK_IPLENMIN, + TOK_IPLENMAX, TOK_IPID, TOK_IPPRECEDENCE, TOK_IPTOS, @@ -308,6 +310,8 @@ { "ipoptions", TOK_IPOPTS }, { "ipopts", TOK_IPOPTS }, { "iplen", TOK_IPLEN }, + { "iplenmin", TOK_IPLENMIN }, + { "iplenmax", TOK_IPLENMAX }, { "ipid", TOK_IPID }, { "ipprecedence", TOK_IPPRECEDENCE }, { "iptos", TOK_IPTOS }, @@ -1106,6 +1110,14 @@ printf(" iplen %u", cmd->arg1 ); break; =20 + case O_IPLENMIN: + printf(" iplenmin %u", cmd->arg1 ); + break; + + case O_IPLENMAX: + printf(" iplenmax %u", cmd->arg1 ); + break; + case O_IPOPT: print_flags("ipoptions", cmd, f_ipopts); break; @@ -2962,6 +2974,18 @@ case TOK_IPLEN: NEED1("iplen requires length"); fill_cmd(cmd, O_IPLEN, 0, strtoul(*av, NULL, 0)); + ac--; av++; + break; + + case TOK_IPLENMIN: + NEED1("iplenmin requires length"); + fill_cmd(cmd, O_IPLENMIN, 0, strtoul(*av, NULL, 0)); + ac--; av++; + break; + + case TOK_IPLENMAX: + NEED1("iplenmax requires length"); + fill_cmd(cmd, O_IPLENMAX, 0, strtoul(*av, NULL, 0)); ac--; av++; break; =20 Index: sys/netinet/ip_fw.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/netinet/ip_fw.h,v retrieving revision 1.76 diff -u -d -r1.76 ip_fw.h --- sys/netinet/ip_fw.h 15 Mar 2003 01:13:00 -0000 1.76 +++ sys/netinet/ip_fw.h 18 Mar 2003 21:00:45 -0000 @@ -72,6 +72,8 @@ =20 O_IPOPT, /* arg1 =3D 2*u8 bitmap */ O_IPLEN, /* arg1 =3D len */ + O_IPLENMIN, /* arg1 =3D len */ + O_IPLENMAX, /* arg1 =3D len */ O_IPID, /* arg1 =3D id */ =20 O_IPTOS, /* arg1 =3D id */ Index: sys/netinet/ip_fw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.28 diff -u -d -r1.28 ip_fw2.c --- sys/netinet/ip_fw2.c 15 Mar 2003 01:13:00 -0000 1.28 +++ sys/netinet/ip_fw2.c 18 Mar 2003 21:00:45 -0000 @@ -1740,6 +1740,14 @@ match =3D (hlen > 0 && cmd->arg1 =3D=3D ip_len); break; =20 + case O_IPLENMIN: + match =3D (hlen > 0 && cmd->arg1 <=3D ip_len); + break; + + case O_IPLENMAX: + match =3D (hlen > 0 && cmd->arg1 >=3D ip_len); + break; + case O_IPPRECEDENCE: match =3D (hlen > 0 && (cmd->arg1 =3D=3D (ip->ip_tos & 0xe0)) ); @@ -2362,6 +2370,8 @@ case O_FRAG: case O_IPOPT: case O_IPLEN: + case O_IPLENMIN: + case O_IPLENMAX: case O_IPID: case O_IPTOS: case O_IPPRECEDENCE: --kfjH4zxOES6UT95V-- --jCrbxBqMcLqd4mOl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+d5Az8kocFXgPTRwRAnYSAJsFIrAVEzWx+MzHkQ1MYRm9mIHfXgCeK6Ox /pkO10FwztzMx3rBreN5A70= =+Sg+ -----END PGP SIGNATURE----- --jCrbxBqMcLqd4mOl-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Mar 18 17:21:18 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D11737B404; Tue, 18 Mar 2003 17:21:17 -0800 (PST) Received: from jbloom.org (reyim.ne.client2.attbi.com [24.60.104.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03D9243F3F; Tue, 18 Mar 2003 17:21:16 -0800 (PST) (envelope-from bloom@acm.org) Received: from acm.org (jmblap.jbloom.org [172.17.235.110]) by jbloom.org (8.12.8/8.12.7) with ESMTP id h2J1KZli066614; Tue, 18 Mar 2003 20:20:36 -0500 (EST) (envelope-from bloom@acm.org) Message-ID: <3E77C5DB.40202@acm.org> Date: Tue, 18 Mar 2003 20:20:27 -0500 From: Jim Bloom User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Crist J. Clark" Cc: Wiktor Niesiobedzki , freebsd-ipfw@FreeBSD.ORG Subject: Re: Prioritizing empty TCP ACKs with ipfw? References: <20030314085636.GB64326@galgenberg.net> <20030314224655.GA2616@mail.evip.pl> <20030318200828.GC74853@blossom.cjclark.org> In-Reply-To: <20030318200828.GC74853@blossom.cjclark.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Crist J. Clark wrote: > The amount of data in any given TCP segment is not stored explicitly > in the header. It has to be calculated by, > > segment_data_length = ip_datagram_len - ip_header_len - tcp_offset > > Given that an IP header is almost always 20-bytes long and the TCP > header (offset) is usually 20-bytes, your value makes sense... Unless > the TCP header is carrying options, e.g. timestamps. > > Doing this calculation would be easy enough, but I think your solution > is probably sufficient. If any change were to be made, I think > changing the 'iplen' option to do "greater-than" and "less-than" > checks, rather than just "equals" would be more useful in > general. That way, you can catch ACKs with no data, but ones that also > have a timestamp option (<53), or sack options (<53, <61, or <68, > depending on how many you want to allow). If the 'iplen' option is set in the 50-70 range to handle other options in the packet, it will also help interactive response for terminal emulation. Typing and character echo usually send a few bytes of data at a time. Jim Bloom To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 19 0:41:51 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 686D437B401; Wed, 19 Mar 2003 00:41:46 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7F1F43F3F; Wed, 19 Mar 2003 00:41:45 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id h2J8fgAq068927; Wed, 19 Mar 2003 00:41:42 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.3/8.12.3/Submit) id h2J8fcPb068925; Wed, 19 Mar 2003 00:41:38 -0800 (PST) (envelope-from rizzo) Date: Wed, 19 Mar 2003 00:41:38 -0800 From: Luigi Rizzo To: "Simon L. Nielsen" Cc: "Crist J. Clark" , Wiktor Niesiobedzki , freebsd-ipfw@FreeBSD.ORG Subject: Re: Prioritizing empty TCP ACKs with ipfw? Message-ID: <20030319004138.A68034@xorpc.icir.org> References: <20030314085636.GB64326@galgenberg.net> <20030314224655.GA2616@mail.evip.pl> <20030318200828.GC74853@blossom.cjclark.org> <20030318213131.GF377@nitro.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030318213131.GF377@nitro.dk>; from simon@nitro.dk on Tue, Mar 18, 2003 at 10:31:32PM +0100 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Mar 18, 2003 at 10:31:32PM +0100, Simon L. Nielsen wrote: ... > It adds two options instead of trying to make more complicated parsing > of the iplen option with arguments like '<', '>', '>=' and so on. actually, because other instructions already handle ranges (e.g. those matching port numbers) one could simply recycle that code in the user interface (for parsing/printing). Changing the "iplen" opcode to check numbers within a range is trivial (given that the size is upper bounded, we do not need < > and the like but just say iplen 0-90 or iplen 128-65535. This would be my preference, also for ipttl and similar instructions. cheers luigi > iplenmin len > Matches IP packets whose total length, including header and data, > is minimum len bytes (packet length >= len). > > iplenmax len > Matches IP packets whose total length, including header and data, > is maximum len bytes (packet length <= len). > > The code have been tested very little (which is the reason I have not > bothed this list with it before :) ) but in my simple tests it works > fine. > > Note that the attached patch had to be untagnled from some other code > i'm working on so it can be got the wrong parts out but I think it is > ok. > > -- > Simon L. Nielsen > Index: sbin/ipfw/ipfw.8 > =================================================================== > RCS file: /home/ncvs/src/sbin/ipfw/ipfw.8,v > retrieving revision 1.122 > diff -u -d -r1.122 ipfw.8 > --- sbin/ipfw/ipfw.8 15 Mar 2003 01:13:00 -0000 1.122 > +++ sbin/ipfw/ipfw.8 18 Mar 2003 20:54:22 -0000 > @@ -901,6 +901,18 @@ > Matches IP packets whose total length, including header and data, is > .Ar len > bytes. > +.It Cm iplenmin Ar len > +Matches IP packets whose total length, including header and data, is > +minimum > +.Ar len > +bytes (packet length >= > +.Ar len ) . > +.It Cm iplenmax Ar len > +Matches IP packets whose total length, including header and data, is > +maximum > +.Ar len > +bytes (packet length <= > +.Ar len ) . > .It Cm ipoptions Ar spec > Matches packets whose IP header contains the comma separated list of > options specified in > Index: sbin/ipfw/ipfw2.c > =================================================================== > RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v > retrieving revision 1.23 > diff -u -d -r1.23 ipfw2.c > --- sbin/ipfw/ipfw2.c 15 Mar 2003 01:12:59 -0000 1.23 > +++ sbin/ipfw/ipfw2.c 18 Mar 2003 20:54:22 -0000 > @@ -209,6 +209,8 @@ > TOK_FRAG, > TOK_IPOPTS, > TOK_IPLEN, > + TOK_IPLENMIN, > + TOK_IPLENMAX, > TOK_IPID, > TOK_IPPRECEDENCE, > TOK_IPTOS, > @@ -308,6 +310,8 @@ > { "ipoptions", TOK_IPOPTS }, > { "ipopts", TOK_IPOPTS }, > { "iplen", TOK_IPLEN }, > + { "iplenmin", TOK_IPLENMIN }, > + { "iplenmax", TOK_IPLENMAX }, > { "ipid", TOK_IPID }, > { "ipprecedence", TOK_IPPRECEDENCE }, > { "iptos", TOK_IPTOS }, > @@ -1106,6 +1110,14 @@ > printf(" iplen %u", cmd->arg1 ); > break; > > + case O_IPLENMIN: > + printf(" iplenmin %u", cmd->arg1 ); > + break; > + > + case O_IPLENMAX: > + printf(" iplenmax %u", cmd->arg1 ); > + break; > + > case O_IPOPT: > print_flags("ipoptions", cmd, f_ipopts); > break; > @@ -2962,6 +2974,18 @@ > case TOK_IPLEN: > NEED1("iplen requires length"); > fill_cmd(cmd, O_IPLEN, 0, strtoul(*av, NULL, 0)); > + ac--; av++; > + break; > + > + case TOK_IPLENMIN: > + NEED1("iplenmin requires length"); > + fill_cmd(cmd, O_IPLENMIN, 0, strtoul(*av, NULL, 0)); > + ac--; av++; > + break; > + > + case TOK_IPLENMAX: > + NEED1("iplenmax requires length"); > + fill_cmd(cmd, O_IPLENMAX, 0, strtoul(*av, NULL, 0)); > ac--; av++; > break; > > Index: sys/netinet/ip_fw.h > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/ip_fw.h,v > retrieving revision 1.76 > diff -u -d -r1.76 ip_fw.h > --- sys/netinet/ip_fw.h 15 Mar 2003 01:13:00 -0000 1.76 > +++ sys/netinet/ip_fw.h 18 Mar 2003 21:00:45 -0000 > @@ -72,6 +72,8 @@ > > O_IPOPT, /* arg1 = 2*u8 bitmap */ > O_IPLEN, /* arg1 = len */ > + O_IPLENMIN, /* arg1 = len */ > + O_IPLENMAX, /* arg1 = len */ > O_IPID, /* arg1 = id */ > > O_IPTOS, /* arg1 = id */ > Index: sys/netinet/ip_fw2.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v > retrieving revision 1.28 > diff -u -d -r1.28 ip_fw2.c > --- sys/netinet/ip_fw2.c 15 Mar 2003 01:13:00 -0000 1.28 > +++ sys/netinet/ip_fw2.c 18 Mar 2003 21:00:45 -0000 > @@ -1740,6 +1740,14 @@ > match = (hlen > 0 && cmd->arg1 == ip_len); > break; > > + case O_IPLENMIN: > + match = (hlen > 0 && cmd->arg1 <= ip_len); > + break; > + > + case O_IPLENMAX: > + match = (hlen > 0 && cmd->arg1 >= ip_len); > + break; > + > case O_IPPRECEDENCE: > match = (hlen > 0 && > (cmd->arg1 == (ip->ip_tos & 0xe0)) ); > @@ -2362,6 +2370,8 @@ > case O_FRAG: > case O_IPOPT: > case O_IPLEN: > + case O_IPLENMIN: > + case O_IPLENMAX: > case O_IPID: > case O_IPTOS: > case O_IPPRECEDENCE: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 19 1:46:52 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5969E37B404; Wed, 19 Mar 2003 01:46:50 -0800 (PST) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED11943F3F; Wed, 19 Mar 2003 01:46:48 -0800 (PST) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 3888810BF82; Wed, 19 Mar 2003 10:46:47 +0100 (CET) Date: Wed, 19 Mar 2003 10:46:47 +0100 From: "Simon L. Nielsen" To: Luigi Rizzo Cc: "Crist J. Clark" , Wiktor Niesiobedzki , freebsd-ipfw@FreeBSD.ORG Subject: Re: Prioritizing empty TCP ACKs with ipfw? Message-ID: <20030319094645.GA354@nitro.dk> References: <20030314085636.GB64326@galgenberg.net> <20030314224655.GA2616@mail.evip.pl> <20030318200828.GC74853@blossom.cjclark.org> <20030318213131.GF377@nitro.dk> <20030319004138.A68034@xorpc.icir.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD" Content-Disposition: inline In-Reply-To: <20030319004138.A68034@xorpc.icir.org> User-Agent: Mutt/1.5.3i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --HlL+5n6rz5pIUxbD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.03.19 00:41:38 -0800, Luigi Rizzo wrote: > On Tue, Mar 18, 2003 at 10:31:32PM +0100, Simon L. Nielsen wrote: > ... > > It adds two options instead of trying to make more complicated parsing > > of the iplen option with arguments like '<', '>', '>=3D' and so on. >=20 > actually, because other instructions already handle ranges > (e.g. those matching port numbers) one could simply recycle > that code in the user interface (for parsing/printing). > Changing the "iplen" opcode to check numbers within a > range is trivial (given that the size is upper bounded, > we do not need < > and the like but just say iplen 0-90 or > iplen 128-65535. >=20 > This would be my preference, also for ipttl and similar > instructions. I hadn't thought of doing it that way but yes that makes much more sense. I plan to look at this once I get a few other things done - unless sombody else does it first :) --=20 Simon L. Nielsen --HlL+5n6rz5pIUxbD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+eDyF8kocFXgPTRwRAmxYAKDGEcXo5ckSvBUuXb6hDdl+OkszowCgrZPZ mI8hWIhxTcn0KP2fADe4w4s= =lsFL -----END PGP SIGNATURE----- --HlL+5n6rz5pIUxbD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 19 3:38:55 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DC9237B401 for ; Wed, 19 Mar 2003 03:38:54 -0800 (PST) Received: from reaktorn.org (reaktorn.org [195.84.133.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32D3743F75 for ; Wed, 19 Mar 2003 03:38:53 -0800 (PST) (envelope-from sopppp@home.se) Received: from h47n1fls31o856.telia.com ([213.65.216.47] helo=oddjob.kul.lan) by reaktorn.org with asmtp (Exim 4.12) id 18vbuA-0003Lp-00 for freebsd-ipfw@freebsd.org; Wed, 19 Mar 2003 12:38:46 +0100 Subject: {x,x,x,x} rule From: Martin Larsson Reply-To: sopppp@home.se To: freebsd-ipfw@freebsd.org Content-Type: text/plain Organization: Message-Id: <1048073860.1497.7.camel@oddjob.kul.lan> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.2- Date: 19 Mar 2003 12:37:40 +0100 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hi, anyone know why this rule wont work? allow tcp from 213.131.131.0/24{155,156,184} to any dst-port 113 setup i want to allow traffic from 213.131.131.155 ,156 and 184 to my own port 113. My system is 4.7 release with ipfw2. //martin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 19 3:42:33 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7873E37B404 for ; Wed, 19 Mar 2003 03:42:32 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id B208443FAF for ; Wed, 19 Mar 2003 03:42:31 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id h2JBgVAq092979; Wed, 19 Mar 2003 03:42:31 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.3/8.12.3/Submit) id h2JBgVmI092978; Wed, 19 Mar 2003 03:42:31 -0800 (PST) (envelope-from rizzo) Date: Wed, 19 Mar 2003 03:42:30 -0800 From: Luigi Rizzo To: Martin Larsson Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: {x,x,x,x} rule Message-ID: <20030319034230.A92931@xorpc.icir.org> References: <1048073860.1497.7.camel@oddjob.kul.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1048073860.1497.7.camel@oddjob.kul.lan>; from sopppp@home.se on Wed, Mar 19, 2003 at 12:37:40PM +0100 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG 4.7R had a bug (long since fixed) on this specific rule which swapped the src and dst addresses in the comparison Please upgrade ip_fw2.c and /sbin/ipfw cheers luigi On Wed, Mar 19, 2003 at 12:37:40PM +0100, Martin Larsson wrote: > hi, anyone know why this rule wont work? > > allow tcp from 213.131.131.0/24{155,156,184} to any dst-port > 113 setup > > i want to allow traffic from 213.131.131.155 ,156 and 184 to my own port > 113. > > My system is 4.7 release with ipfw2. > > //martin > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 19 4:57:37 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7195137B401 for ; Wed, 19 Mar 2003 04:57:35 -0800 (PST) Received: from holmes.peterlink.ru (holmes.peterlink.ru [195.242.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id AEC0943FA3 for ; Wed, 19 Mar 2003 04:57:33 -0800 (PST) (envelope-from maxes@peterlink.ru) Received: from stapleton.peterlink.ru (stapleton.peterlink.ru [195.242.2.5]) by holmes.peterlink.ru (8.12.6/8.12.6) with ESMTP id h2JCvP9Z082485 for ; Wed, 19 Mar 2003 15:57:32 +0300 (MSK) Received: from buratino.peterlink.ru (madmax@buratino.peterlink.ru [195.242.2.70]) by stapleton.peterlink.ru (8.12.3/8.12.3) with ESMTP id h2JCspOu053333 for ; Wed, 19 Mar 2003 15:54:51 +0300 (MSK) Received: from localhost (madmax@localhost) by buratino.peterlink.ru (8.9.1/8.9.1) with ESMTP id PAA07581 for ; Wed, 19 Mar 2003 15:54:50 +0300 (MSK) Date: Wed, 19 Mar 2003 15:54:50 +0300 (MSK) From: maxes@peterlink.ru X-X-Sender: madmax@buratino.peterlink.ru To: freebsd-ipfw@FreeBSD.ORG Subject: dynamic rules: PARENT 65534 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi all I use next rules on test server: ipfw add 01 check-state ipfw add 15 count log logamount 10 tcp from any to me 8000-8005,80 established ipfw add 20 allow tcp from any to me 8000-8005,80 setup limit src-addr 20 On test environment all work fine. But on production server (4.7-RELEASE-p7) occured some strange thing: ipfw -de sh | grep PARENT 00020 0 0 (2s) PARENT 3 tcp 1.2.3.4 0 <-> 0.0.0.0 0 00020 0 0 (0s) PARENT 4 tcp 1.2.3.5 0 <-> 0.0.0.0 0 00020 0 0 (0s) PARENT 4 tcp 1.2.3.6 0 <-> 0.0.0.0 0 00020 0 0 (0s) PARENT 5 tcp 1.2.3.7 0 <-> 0.0.0.0 0 00020 0 0 (0s) PARENT 65532 tcp 1.2.3.9 0 <-> 0.0.0.0 0 00020 0 0 (0s) PARENT 65534 tcp 1.2.3.10 0 <-> 0.0.0.0 0 After this, client 1.2.3.10 and 1.2.3.9 can't establish connection. ipfw rule 15 don't log this event (sysctl net.inet.ip.fw.verbose_limit=0) It means that client stopped on check-state phase ? ipfw -de | grep LIMIT | grep 1.2.3.9 show nothing. Some time later (10sec-60sec-???) entry with PARENT 6553* go away and client 1.2.3.9 and 1.2.3.10 can succefully work. I run "tcpdump -w tst.dump port 80" and in parallel monitored dynamic rules state with periodicaly exec "ipfw -tde sh | grep PARE | sort -n -k6" from another prompt. When rule "PARENT 6553* with IP 1.2.3.4" occured and go away, I stop tcpdump. In dump not present any packets with (SYN,!ACK) flags for IP 1.2.3.4: lport rport info -------------------------------------------------------------------- http > 1219 [FIN, ACK] Seq=2688856025 Ack=172398756 Win=17520 Len=0 1219 > http [ACK] Seq=172398756 Ack=2688856026 Win=8577 Len=0 1219 > http [RST] Seq=172398756 Ack=2998869406 Win=0 Len=0 http > 1219 [ACK] Seq=2688856025 Ack=172398756 Win=0 Len=0 http > 1219 [RST] Seq=2688856026 Ack=0 Win=0 Len=0 1219 > http [RST] Seq=172398756 Ack=172398756 Win=0 Len=0 p.s. 65534 and 65532 look very strange, like bug. p.s.2 full tcpdump result on demand b.r. Kozin Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 19 7:22:13 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0C2537B407; Wed, 19 Mar 2003 07:22:11 -0800 (PST) Received: from mailgw.cscoms.com (mailgw.cscoms.com [202.183.255.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id C01F243F75; Wed, 19 Mar 2003 07:22:06 -0800 (PST) (envelope-from wowwwhealthy@thaimail.com) Received: from cscoms.com (mail.cscoms.com [202.183.255.23]) by mailgw.cscoms.com (8.12.8/8.12.3) with ESMTP id h2JFDqil015445; Wed, 19 Mar 2003 22:13:53 +0700 (ICT) Received: from ME (dial-255.ras-7.bkk.c.cscoms.com [203.170.141.193]) by cscoms.com (8.12.8/8.12.3) with SMTP id h2JF9rwo010446; Wed, 19 Mar 2003 22:09:56 +0700 (GMT) Date: Wed, 19 Mar 2003 22:09:53 +0700 (GMT) Message-Id: <200303191509.h2JF9rwo010446@cscoms.com> From: wowwwhealthy@thaimail.com Subject: ท่านทราบหรือไม่ว่าคนอ้วนจะเสี่ยงต่อการเป็นเบาหวานมากกว่าคนน้ำหนักปกติถึง 30 เท่า X-Priority: 1 (Highest) Reply-To: wowwwhealthy@thaimail.com X-Mailer: Microsoft Outlook Express 5.00.2615.200 MIME-Version: 1.0 Content-type: multipart/mixed; boundary="#MYBOUNDARY#" X-Virus-Scanned: by amavisd-milter (http://amavis.org/) To: undisclosed-recipients: ; Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --#MYBOUNDARY# Content-Type: text/plain; charset=ansi Content-Transfer-Encoding: 8bit คนไทยกำลังเป็นโรคอ้วนมากขึ้นทุกที พ.อ.หญิง รศ. พ.ญ. พรฑิตา ชัยอำนวย ผู้อำนวยการเวชศาสตร์ฟื้นฟู โรงพยาบาลพระมงกุฏเกล้า บรรยายเรื่อง "กินอย่างไรให้ห่างไกลโรคหัวใจและโรคอ้วน" ในตอนหนึ่งของการบรรยาย ผู้บรรยายกล่าวว่า "สิ่งที่พึงตระหนักคือ ผู้ชายไม่ควรให้รอบเอวเกิน 36 นิ้ว หญิงไม่ควรเกิน 32 นิ้ว ถ้ามากกว่านี้ต้องเร่งลดน้ำหนัก" เพราะถ้าหากท่านวัดรอบเอวแล้วได้ตัวเลขเกินกว่ามาตราฐานนี้ แสดงว่าท่านกำลังเป็นโรคอ้วน คนเป็นโรคอ้วนมีความเสี่ยงที่จะต้อง พบกับโรคร้ายต่างๆ มากมาย นับตั้งแต่ โรคหัวใจ เบาหวาน ไขมันในเลือดสูง ความดันโลหิตสูง อัมพาต และท่านอาจจะหยุดหายใจขณะหลับ จนเกิดภาวะพร่องออกซิเจน ตื่นนอนจะมีอาการมึน เป็นต้อหินง่ายเนื่องจากเลือดขาดออกซิเจน เป็นโรคข้อ เพราะแบกรับน้ำหนักมาก เป็นเกาต์ มะเร็ง นิ่วในถุงน้ำดี มีลูกยาก โรคเกี่ยวกับระบบหายใจ โรคถุงน้ำดี ท่านทราบหรือไม่ว่าคนอ้วนจะเสี่ยงต่อการเป็นเบาหวานมากกว่าคนน้ำหนักปกติถึง 30 เท่า เสี่ยงเป็นโรคหลอดเลือดหัวใจตีบกว่าคนทั่วไป 15 เท่า โรคอัมพาต 11 เท่า โรคมะเร็งลำไส้ 2 เท่า คนเป็นโรคอ้วนเป็นโรคร้ายตายง่ายอย่างนี้ถ้าไม่เรียกคนที่มีรอบเอวเกินมาตราฐานว่า รอบเอวมรณะ แล้วจะเรียกว่าอะไรล่ะครับ วิธีถอดห่วงยาง (ลดเอว) คุณหมอบอกว่า วิธีรักษาโรคอ้วนสามารถทำได้ด้วยการควบคุมแคลอรีของอาหารที่รับประทาน คือพยายามให้ลดลงวันละ 600 แคลอรี ซึ่งภายใน 7 วันท่านจะสามารถลดน้ำหนักได้0.6 กิโลกรัม เพราะไขมัน 1 กิโลกรัม เท่ากับ 7,000 แคลอรี ประการที่สำคัญ ต้องออกกำลังกายอย่างสม่ำเสมอทุกวันครับ อย่างน้อย 20 นาที ถ้าออกกำลังกายได้ 60 นาทีจะยิ่งเป็นผลดี คุณหมอบอกว่าเราควรให้สนใจใฝ่ศึกษาหาความรู้ด้านโภชนาการให้มาก ๆ คือให้ศึกษาว่าอาหารชนิดไหนให้พลังงานน้อย พลังมากแค่ไหน และ ควรสร้างความสุขที่ได้บริโภคอาหารไขมันต่ำ ๆ ในการรับประทานอาหารควรเคี้ยวให้ช้าๆ จะรู้สึกอิ่มทั้งๆ ที่บริโภคน้อย อ้อ ! budpage แนะนำว่าท่านควรซื้อสายวัดมาเก็บไว้สักเส้นนะครับ ทุก ๆ เช้าคอยวัดเอวตัวเอง และควรจดบันทึกเป็นสถิติไว้ทุกวันด้วย สนุกดีครับ อีกทั้งยังเป็นการท้าทายให้เรามีความตื่นตัวที่จะลดความอ้วนอยู่เสมออีกด้วย สุดท้ายนี้ขอให้ทุก ๆ ท่านมีรอบเอวในระดับมาตราฐานที่ปลอดภัยกันทุก ๆ ท่านนะครับ (จบบทความนี้ เวบมาสเตอร์ คงขอตัวไปซื้อสายวัดมาควบคุมน้ำหนักด้วยคนนะครับ สวัสดี ) ขอเชิญชาวพุทธมาช่วยกันระดมความคิดในหัวข้อ "วิธีออกกำลังกายให้สนุก" ลองมาดูกันว่าใครจะมีวิธีการเด็ดๆ ที่จะทำให้คนอ้วนอยากออกกำลังกายโดยไม่ฝืนใจกันบ้าง แล้วพบกันใหม่กับเอกสารสาระที่มีประโยชน์ฉบับหน้าค่ะ ***************************************************************** ถ้าท่านต้องการข้อมูลที่มีประโยชน์ในด้านโภชนาการเพื่อสุขภาพที่แข็งแรง หรือต้องการลดน้ำหนักโดยวิธีธรรมชาติ สามารถขอข้อมูลได้จาก ... http://www.geocities.com/healthclub999/easythin ***************************************************************** หากไม่ต้องการรับข้อมูลข่าวสารอีก กรุณาเข้าไปแจ้งที่ www.unsubhealthclub.web1000.com --#MYBOUNDARY#-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 19 7:48:34 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A42637B401 for ; Wed, 19 Mar 2003 07:48:33 -0800 (PST) Received: from holmes.peterlink.ru (holmes.peterlink.ru [195.242.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05B8A43F93 for ; Wed, 19 Mar 2003 07:48:32 -0800 (PST) (envelope-from maxes@peterlink.ru) Received: from stapleton.peterlink.ru (stapleton.peterlink.ru [195.242.2.5]) by holmes.peterlink.ru (8.12.6/8.12.6) with ESMTP id h2JFmQ9t096002 for ; Wed, 19 Mar 2003 18:48:30 +0300 (MSK) Received: from buratino.peterlink.ru (madmax@buratino.peterlink.ru [195.242.2.70]) by stapleton.peterlink.ru (8.12.3/8.12.3) with ESMTP id h2JFkFOu059495 for ; Wed, 19 Mar 2003 18:46:15 +0300 (MSK) Received: from localhost (madmax@localhost) by buratino.peterlink.ru (8.9.1/8.9.1) with ESMTP id SAA02063 for ; Wed, 19 Mar 2003 18:46:14 +0300 (MSK) Date: Wed, 19 Mar 2003 18:46:13 +0300 (MSK) From: maxes@peterlink.ru X-X-Sender: madmax@buratino.peterlink.ru To: freebsd-ipfw@FreeBSD.ORG Subject: Re: dynamic rules: PARENT 65534 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG /usr/src/sys/netinet/ip_fw2.c: $FreeBSD: src/sys/netinet/ip_fw2.c,v 1.6.2.3 2002/08/21 05:34:07 luigi Exp $ --- /usr/src/sys/netinet/ip_fw2.c.old Wed Aug 21 09:34:07 2002 +++ /usr/src/sys/netinet/ip_fw2.c Wed Mar 19 16:20:54 2003 @@ -617,7 +617,7 @@ ipfw_dyn_rule *old_q = q; \ \ /* remove a refcount to the parent */ \ - if (q->dyn_type == O_LIMIT) \ + if ((q->dyn_type == O_LIMIT) && (q->parent->count !=0)) \ q->parent->count--; \ DEB(printf("-- unlink entry 0x%08x %d -> 0x%08x %d, %d left\n", \ (q->id.src_ip), (q->id.src_port), \ It's hack, as I undestand ->count can't be less then 0. Error somewhere in logic. b.r. Kozin Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 19 9:45: 7 2003 Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB2EA37B401; Wed, 19 Mar 2003 09:45:06 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A82243FAF; Wed, 19 Mar 2003 09:45:06 -0800 (PST) (envelope-from nork@FreeBSD.org) Received: from freefall.freebsd.org (nork@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h2JHj6NS038522; Wed, 19 Mar 2003 09:45:06 -0800 (PST) (envelope-from nork@freefall.freebsd.org) Received: (from nork@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h2JHj62C038518; Wed, 19 Mar 2003 09:45:06 -0800 (PST) Date: Wed, 19 Mar 2003 09:45:06 -0800 (PST) From: Norikatsu Shigemura Message-Id: <200303191745.h2JHj62C038518@freefall.freebsd.org> To: nork@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Subject: Re: bin/42318: NATD redirect limitations Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Synopsis: NATD redirect limitations Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: nork Responsible-Changed-When: Wed Mar 19 09:41:08 PST 2003 Responsible-Changed-Why: This is not PR. But, anyone, please answer. http://www.freebsd.org/cgi/query-pr.cgi?pr=42318 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 19 9:52: 7 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA06B37B401 for ; Wed, 19 Mar 2003 09:52:05 -0800 (PST) Received: from mail2.dbitech.ca (radius.wavefire.com [64.141.13.252]) by mx1.FreeBSD.org (Postfix) with SMTP id 4A5E443F3F for ; Wed, 19 Mar 2003 09:52:03 -0800 (PST) (envelope-from darcy@wavefire.com) Received: (qmail 10652 invoked from network); 19 Mar 2003 18:16:15 -0000 Received: from dbitech.wavefire.com (HELO dbitech) (darcy@64.141.15.253) by radius.wavefire.com with SMTP; 19 Mar 2003 18:16:15 -0000 Content-Type: text/plain; charset="iso-8859-1" From: Darcy Buskermolen Organization: Wavefire Technologies Corp. To: Norikatsu Shigemura Subject: Re: bin/42318: NATD redirect limitations Date: Wed, 19 Mar 2003 09:51:48 -0800 User-Agent: KMail/1.4.3 References: <200303191745.h2JHj62C038518@freefall.freebsd.org> In-Reply-To: <200303191745.h2JHj62C038518@freefall.freebsd.org> Cc: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200303190951.48506.darcy@wavefire.com> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG natd is not a protocol aware proxy. it is nothing more than an Address=20 Translator. What you need to do is redirect all port 80 traffic to an=20 internal proxy (squid/apache/...), which then dispatches to the IP's you = are=20 refering. On Wednesday 19 March 2003 09:45, Norikatsu Shigemura wrote: > Synopsis: NATD redirect limitations > > Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw > Responsible-Changed-By: nork > Responsible-Changed-When: Wed Mar 19 09:41:08 PST 2003 > Responsible-Changed-Why: > This is not PR. But, anyone, please answer. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D42318 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message --=20 Darcy Buskermolen Wavefire Technologies Corp. ph: 250.717.0200 fx: 250.763.1759 http://www.wavefire.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 19 9:55:20 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 992FE37B401 for ; Wed, 19 Mar 2003 09:55:17 -0800 (PST) Received: from nd250009.gab.xdsl.ne.jp (nd250009.gab.xdsl.ne.jp [61.202.250.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AB8C43F93 for ; Wed, 19 Mar 2003 09:55:16 -0800 (PST) (envelope-from nork@FreeBSD.org) Received: from nd250009.gab.xdsl.ne.jp (sakura.ninth-nine.com [IPv6:2002:3dca:fa09::1]) (authenticated bits=0) by nd250009.gab.xdsl.ne.jp (8.12.8/8.12.8/NinthNine) with ESMTP id h2JHtEFE026780 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 20 Mar 2003 02:55:15 +0900 (JST) (envelope-from nork@FreeBSD.org) Date: Thu, 20 Mar 2003 02:55:15 +0900 (JST) Message-Id: <200303191755.h2JHtEFE026780@nd250009.gab.xdsl.ne.jp> From: Norikatsu Shigemura To: Robert Withrow Cc: freebsd-ipfw@FreeBSD.org, Darcy Buskermolen Subject: Fw: bin/42318: NATD redirect limitations In-Reply-To: <200303190951.48506.darcy@wavefire.com> References: <200303191745.h2JHj62C038518@freefall.freebsd.org> <200303190951.48506.darcy@wavefire.com> Reply-To: Robert Withrow , freebsd-ipfw@FreeBSD.org X-Mailer: Sylpheed version 0.8.8 (GTK+ 1.2.10; i386-portbld-freebsd4.7) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Please don't send me:-). On Wed, 19 Mar 2003 09:51:48 -0800 Darcy Buskermolen wrote: > natd is not a protocol aware proxy. it is nothing more than an Address > Translator. What you need to do is redirect all port 80 traffic to an > internal proxy (squid/apache/...), which then dispatches to the IP's you are > refering. > > > > > On Wednesday 19 March 2003 09:45, Norikatsu Shigemura wrote: > > Synopsis: NATD redirect limitations > > > > Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw > > Responsible-Changed-By: nork > > Responsible-Changed-When: Wed Mar 19 09:41:08 PST 2003 > > Responsible-Changed-Why: > > This is not PR. But, anyone, please answer. > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=42318 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > -- > Darcy Buskermolen > Wavefire Technologies Corp. > ph: 250.717.0200 > fx: 250.763.1759 > http://www.wavefire.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 19 9:58: 2 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9F4C37B401 for ; Wed, 19 Mar 2003 09:58:00 -0800 (PST) Received: from nd250009.gab.xdsl.ne.jp (nd250009.gab.xdsl.ne.jp [61.202.250.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id C38D843F3F for ; Wed, 19 Mar 2003 09:57:57 -0800 (PST) (envelope-from nork@FreeBSD.org) Received: from nd250009.gab.xdsl.ne.jp (ns1.ninth-nine.com [IPv6:2002:3dca:fa09::1]) (authenticated bits=0) by nd250009.gab.xdsl.ne.jp (8.12.8/8.12.8/NinthNine) with ESMTP id h2JHvnFE026886 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 20 Mar 2003 02:57:55 +0900 (JST) (envelope-from nork@FreeBSD.org) Date: Thu, 20 Mar 2003 02:57:55 +0900 (JST) Message-Id: <200303191757.h2JHvnFE026886@nd250009.gab.xdsl.ne.jp> From: Norikatsu Shigemura To: Mark Weisman Cc: freebsd-ipfw@FreeBSD.org, Darcy Buskermolen Subject: Fw: bin/42318: NATD redirect limitations (RESEND) In-Reply-To: <200303190951.48506.darcy@wavefire.com> References: <200303191745.h2JHj62C038518@freefall.freebsd.org> <200303190951.48506.darcy@wavefire.com> X-Mailer: Sylpheed version 0.8.8 (GTK+ 1.2.10; i386-portbld-freebsd4.7) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Please don't send me:-). On Wed, 19 Mar 2003 09:51:48 -0800 Darcy Buskermolen wrote: > natd is not a protocol aware proxy. it is nothing more than an Address > Translator. What you need to do is redirect all port 80 traffic to an > internal proxy (squid/apache/...), which then dispatches to the IP's you are > refering. > > > > > On Wednesday 19 March 2003 09:45, Norikatsu Shigemura wrote: > > Synopsis: NATD redirect limitations > > > > Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw > > Responsible-Changed-By: nork > > Responsible-Changed-When: Wed Mar 19 09:41:08 PST 2003 > > Responsible-Changed-Why: > > This is not PR. But, anyone, please answer. > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=42318 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > -- > Darcy Buskermolen > Wavefire Technologies Corp. > ph: 250.717.0200 > fx: 250.763.1759 > http://www.wavefire.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 19 10: 0:27 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4700E37B404 for ; Wed, 19 Mar 2003 10:00:26 -0800 (PST) Received: from nd250009.gab.xdsl.ne.jp (nd250009.gab.xdsl.ne.jp [61.202.250.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 17CA143FF5 for ; Wed, 19 Mar 2003 10:00:12 -0800 (PST) (envelope-from nork@FreeBSD.org) Received: from nd250009.gab.xdsl.ne.jp (ns1.ninth-nine.com [IPv6:2002:3dca:fa09::1]) (authenticated bits=0) by nd250009.gab.xdsl.ne.jp (8.12.8/8.12.8/NinthNine) with ESMTP id h2JI0BFE027001 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 20 Mar 2003 03:00:11 +0900 (JST) (envelope-from nork@FreeBSD.org) Date: Thu, 20 Mar 2003 03:00:11 +0900 (JST) Message-Id: <200303191800.h2JI0BFE027001@nd250009.gab.xdsl.ne.jp> From: Norikatsu Shigemura To: Robert Withrow , freebsd-ipfw@FreeBSD.org Cc: freebsd-ipfw@FreeBSD.org, darcy@wavefire.com Subject: Re: Fw: bin/42318: NATD redirect limitations In-Reply-To: <200303191755.h2JHtEFE026780@nd250009.gab.xdsl.ne.jp> References: <200303191745.h2JHj62C038518@freefall.freebsd.org> <200303190951.48506.darcy@wavefire.com> <200303191755.h2JHtEFE026780@nd250009.gab.xdsl.ne.jp> X-Mailer: Sylpheed version 0.8.8 (GTK+ 1.2.10; i386-portbld-freebsd4.7) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 20 Mar 2003 02:55:15 +0900 (JST) Norikatsu Shigemura wrote: > Please don't send me:-). Robert, I sent you no relation mail by my error. I'm sorry. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 19 10: 8:10 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBCDF37B401 for ; Wed, 19 Mar 2003 10:08:09 -0800 (PST) Received: from nd250009.gab.xdsl.ne.jp (nd250009.gab.xdsl.ne.jp [61.202.250.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id C810943F3F for ; Wed, 19 Mar 2003 10:08:08 -0800 (PST) (envelope-from nork@FreeBSD.org) Received: from nd250009.gab.xdsl.ne.jp (ns1.ninth-nine.com [IPv6:2002:3dca:fa09::1]) (authenticated bits=0) by nd250009.gab.xdsl.ne.jp (8.12.8/8.12.8/NinthNine) with ESMTP id h2JI87FE027331 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 20 Mar 2003 03:08:07 +0900 (JST) (envelope-from nork@FreeBSD.org) Date: Thu, 20 Mar 2003 03:08:07 +0900 (JST) Message-Id: <200303191808.h2JI87FE027331@nd250009.gab.xdsl.ne.jp> From: Norikatsu Shigemura To: mark@outlander.us, freebsd-ipfw@FreeBSD.org, darcy@wavefire.com Subject: Re: Fw: bin/42318: NATD redirect limitations (RESEND) In-Reply-To: <200303191757.h2JHvnFE026886@nd250009.gab.xdsl.ne.jp> References: <200303191745.h2JHj62C038518@freefall.freebsd.org> <200303190951.48506.darcy@wavefire.com> <200303191757.h2JHvnFE026886@nd250009.gab.xdsl.ne.jp> X-Mailer: Sylpheed version 0.8.8 (GTK+ 1.2.10; i386-portbld-freebsd4.7) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 20 Mar 2003 02:57:55 +0900 (JST) Norikatsu Shigemura wrote: > Please don't send me:-). Oops. By right, Please dont't send to me:-). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 19 14: 9:14 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C39D437B401; Wed, 19 Mar 2003 14:09:13 -0800 (PST) Received: from ns1.itga.com.au (ns1.itga.com.au [202.53.40.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 400DF43F93; Wed, 19 Mar 2003 14:09:12 -0800 (PST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns1.itga.com.au (8.12.8/8.12.6) with ESMTP id h2JM91cp081163; Thu, 20 Mar 2003 09:09:01 +1100 (EST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (localhost [127.0.0.1]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id JAA01920; Thu, 20 Mar 2003 09:08:56 +1100 (EST) Message-Id: <200303192208.JAA01920@lightning.itga.com.au> From: Gregory Bond To: Luigi Rizzo Cc: "Simon L. Nielsen" , "Crist J. Clark" , Wiktor Niesiobedzki , freebsd-ipfw@FreeBSD.ORG, gnb@itga.com.au Subject: Re: Prioritizing empty TCP ACKs with ipfw? In-reply-to: Your message of Wed, 19 Mar 2003 00:41:38 -0800. Date: Thu, 20 Mar 2003 09:08:55 +1100 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > iplenmin len > > Matches IP packets whose total length, including header and da > ta, > > is minimum len bytes (packet length >= len). If we're going to all that trouble, why not add function/keyword to calculate payload length (for IP/UDP/TCP), after accounting for IP and TCP options. This would allow unambiguous detection of acks (payloadlen < 1) and pretty good detection of interactive telnet traffic and the like. It's pretty easy and cheap to do this calc in C but a fair bit harder to do in FW rules. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Mar 19 18: 8: 9 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B804837B401 for ; Wed, 19 Mar 2003 18:08:08 -0800 (PST) Received: from reaktorn.org (reaktorn.org [195.84.133.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id E821E43FBF for ; Wed, 19 Mar 2003 18:08:07 -0800 (PST) (envelope-from sopppp@home.se) Received: from h47n1fls31o856.telia.com ([213.65.216.47] helo=oddjob.kul.lan) by reaktorn.org with asmtp (Exim 4.12) id 18voX2-0004FP-00 for freebsd-ipfw@freebsd.org; Thu, 20 Mar 2003 02:07:44 +0100 Subject: natd From: Martin Larsson Reply-To: sopppp@home.se To: freebsd-ipfw@freebsd.org Content-Type: text/plain Organization: Message-Id: <1048122397.30439.0.camel@oddjob.kul.lan> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.2- Date: 20 Mar 2003 02:06:37 +0100 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hi all is it possible to somehow use natd with inkernel only stuff? if not will this be implemented in the feature? //martin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 21 8:38: 9 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0E1D37B401; Fri, 21 Mar 2003 08:38:07 -0800 (PST) Received: from mailgw.cscoms.com (mailgw.cscoms.com [202.183.255.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C26343FD7; Fri, 21 Mar 2003 08:38:05 -0800 (PST) (envelope-from FreeBooklet@thaimail.com) Received: from cscoms.com (mail.cscoms.com [202.183.255.23]) by mailgw.cscoms.com (8.12.8/8.12.3) with ESMTP id h2LGZqET032618; Fri, 21 Mar 2003 23:36:05 +0700 (ICT) Received: from ME (dial-49.ras-7.bkk.c.cscoms.com [203.170.129.49]) by cscoms.com (8.12.8/8.12.3) with SMTP id h2LGV5wo017083; Fri, 21 Mar 2003 23:31:08 +0700 (GMT) Date: Fri, 21 Mar 2003 23:31:05 +0700 (GMT) Message-Id: <200303211631.h2LGV5wo017083@cscoms.com> From: FreeBooklet@thaimail.com Subject: แจกฟรี ! หนังสือคู่มือคนเคยจน สำหรับผู้สนใจ.... X-Priority: 1 (Highest) Reply-To: FreeBooklet@thaimail.com X-Mailer: Microsoft Outlook Express 5.00.2615.200 MIME-Version: 1.0 Content-type: multipart/mixed; boundary="#MYBOUNDARY#" X-Virus-Scanned: by amavisd-milter (http://amavis.org/) To: undisclosed-recipients: ; Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --#MYBOUNDARY# Content-Type: text/plain; charset=ansi Content-Transfer-Encoding: 8bit >>>>ทำงานที่ยากที่สุดก่อน >>>> >>ผมยิ่งมีชีวิตอยู่นานเท่าไหร่ ผมยิ่งมั่นใจมากขึ้นเท่านั้น >>ว่าความแตกต่างอันยิ่งใหญ่ระหว่างมนุษย์... >>ระหว่าคนที่อ่อนแอและคนทีอำนาจ....... >>ระหว่างคนที่ยิ่งใหญ่และคนที่ไม่สำคัญ ก็คือ >>เรี่ยวแรงของ....ความตั้งใจแน่วแน่ที่ไม่อาจทำลายได้.... >>จุดประสงค์ที่เมื่อตั้งขึ้นแล้ว ถ้าไม่ตายก็ต้องชนะ >>-เซอร์โธมัส ฟาวเวล บั๊กซ์ตัน >>หนึ่งในเทคนิคที่ดีที่สุดในการเอาชนะนิสัยผัดวันประกันพรุ่ง >>และทำงานได้มากขึ้นและเร็วขึ้นก็คือลงมือทำงานที่ยากที่สุดของคุณก่อน >>นี่คือการ " กินกบของคุณ " ที่แท้จริง มันเป็นทักษะส่วนบุคคลในการบริหาร >>ที่ยากที่สุดและสำคัญที่สุดเริ่มต้นตอนเช้าด้วยงานที่ใหญ่ที่สุดและสำคัญที่สุด >>คือ สิ่งตรงข้ามกับที่คนส่วนใหญ่ทำ ระเบียบวินัยนี้จะทำให้คุณเลิกนิสัย ผัดวัน >>ประกันพรุ่งและทำให้อนาคตอยู่ในกำมือคุณ >>>>>>>>การเริ่มต้นแต่ละวันด้วยงานที่ยากที่สุดเป็นการเริ่มต้นแบบก้าวกระโดด >>ที่ดี คุณจะมีไฟมากขึ้น และจะทำงานได้ผลดีมากขึ้น >>>>>>>>ในวันที่คุณเริ่มลงมือทำงานสำคัญโดยทันทีทันควัน คุณจะรู้สึกดีกับตัว >>คุณเองและกับงานของคุณมากกว่าคนอื่นๆ คุณจะรู้สึกมีอำนาจมากขึ้น ควบคุม >>ตัวเองได้มากขึ้นและรับผิดชอบดูแลชีวิตตัวเองได้มากกว่าเวลาอื่น >>>>>>>สร้างนิสัยเริ่มทำงานที่ยากที่สุดก่อนแล้วคุณจะไม่ต้องมองย้อนกลับ >>คุณจะกลายเป็น หนึ่งในคนที่มีประสิทธิภาพมากที่สุดในคนรุ่นคุณ............... >>กินกบตัวนั้นซะ!!! จงมองตัวเองว่าเป็นงานที่กำลังคืบหน้า จงเทใจให้กับการเพาะนิสัย >>เป็นคนมีผลงานสูงด้วยการฝึกซ้ำแล้วซ้ำเล่าจนกระทั่งมันกลายเป็นเรื่องอัตโนมัติและ >>กลายเป็นเรื่องง่าย >>>>>>>>หนึ่งในวลีที่มีอนุภาพมากที่สุดซึ่งคุณสามารถเรียนรู้และนำมาใช้ได้ก็คือ >>" เพื่อวันนี้เท่านั้น! "อย่าวิตกเรื่องการเปลี่ยนแปลงชีวิตตัวเอง ถ้ามันฟังเหมือนเป็น >>ความคิดที่ดี จงทำมัน" เพื่อวันนี้เท่านั้น" >>>>>>>>บอกกับตัวเองว่า " เพื่อวันนี้เท่านั้น ฉันจะวางแผนเตรียมการ และเริ่มต้นงาน >>ที่ยากที่สุดก่อนจะทำอย่างอื่น "แล้วคุณจะต้องทึ่งกับความแตกต่างที่เกิดขึ้นในชีวิตคุณ ---------------------------------------------------------------------------------------------- คุณ พร้อมแล้วรึยัง กับรูปแบบการทำงานง่ายๆจากที่บ้าน Click Here! www.geocities.com/thaigetrich/easywork , หรือ Tel. 0-2277-7850 กด 25 ----------------------------------------------------------------------------------------------- ขออภัยหากเป็นการรบกวน และหากไม่ต้องการให้ส่งข่าวสารมายังท่านอีก กรุณาเมลล์มาที่ easywork@maildozy.com หัวข้อ unsub --#MYBOUNDARY#-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message