From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 18 09:13:49 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 36B37106564A for ; Sun, 18 Jan 2009 09:13:49 +0000 (UTC) (envelope-from fbsdmail@dnswatch.com) Received: from fast.dnswatch.com (fast.dnswatch.com [75.160.109.234]) by mx1.freebsd.org (Postfix) with ESMTP id 0157D8FC14 for ; Sun, 18 Jan 2009 09:13:48 +0000 (UTC) (envelope-from fbsdmail@dnswatch.com) Received: from webmail.dnswatch.com (localhost.dnswatch.com [127.0.0.1]) by fast.dnswatch.com (8.14.2/8.14.2) with ESMTP id n0I8cZKN026998 for ; Sun, 18 Jan 2009 00:38:41 -0800 (PST) (envelope-from fbsdmail@dnswatch.com) Received: from hitme.hitometer.net ([75.160.109.235]) (DNSwatchWebMail authenticated user infos) by webmail.dnswatch.com with HTTP; Sun, 18 Jan 2009 00:38:41 -0800 (PST) Message-ID: <1528c4e04e7e0d186cf8a9d9c4974ad6.dnswclient@webmail.dnswatch.com> Date: Sun, 18 Jan 2009 00:38:41 -0800 (PST) From: fbsdmail@dnswatch.com To: freebsd-ipfw@freebsd.org User-Agent: DNSwatchWebMail/1.5.2 [SVN] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: possible to block one address on all ports? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2009 09:13:49 -0000 Greetings, I have what I hope is a simple question that I /hope/ has a simple option. Here's my scenario; My current filtering is done on an application/ service level. While I'm anxious to migrate this to IPFW, I'm don't yet have the time available that will be required. But I have a situation that requires the need to drop any, and all requests from one single IP address. So I thought I might seize this situation as an opportunity to "get my feet wet" with IPFW. So here's my question; Is it possible for me to use IPFW without altering any traffic - that is; nothing changes on incoming/outgoing EXCEPT where this /evil/ IP is concerned? Or, can I start IPFW, and use it to ONLY drop all requests from this /evil/ IP no matter which ports that IP makes a request on? I can? Can/would anyone be willing to tell me how? Apologies in advance, I realize this is pretty "ground level stuff". But I feel if I could get a good start, getting up to speed from there will be a greatly shortened learning curve. Thank you for all your time and consideration. --Chris From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 18 22:13:30 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E70611065673 for ; Sun, 18 Jan 2009 22:13:30 +0000 (UTC) (envelope-from kim@tinker.com) Received: from mail2.tinker.com (2-55-228-66.tinker.com [66.228.55.2]) by mx1.freebsd.org (Postfix) with ESMTP id C7E4F8FC19 for ; Sun, 18 Jan 2009 22:13:30 +0000 (UTC) (envelope-from kim@tinker.com) Received: from sneffels.tinker.com (204.16.225.169.tinker.com [204.16.225.169]) by mail2.tinker.com (Postfix) with ESMTP id CB72E8738A6; Sun, 18 Jan 2009 15:57:54 -0600 (CST) Message-Id: <4A2B0C19-799B-4C09-A887-8FDC6AE0B019@tinker.com> From: Kim Shrier To: fbsdmail@dnswatch.com In-Reply-To: <1528c4e04e7e0d186cf8a9d9c4974ad6.dnswclient@webmail.dnswatch.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Sun, 18 Jan 2009 14:57:53 -0700 References: <1528c4e04e7e0d186cf8a9d9c4974ad6.dnswclient@webmail.dnswatch.com> X-Mailer: Apple Mail (2.930.3) Cc: freebsd-ipfw@freebsd.org Subject: Re: possible to block one address on all ports? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2009 22:13:33 -0000 On Jan 18, 2009, at 1:38 AM, fbsdmail@dnswatch.com wrote: > Greetings, > I have what I hope is a simple question that I /hope/ has a simple > option. Here's my scenario; My current filtering is done on an > application/ > service level. While I'm anxious to migrate this to IPFW, I'm don't > yet > have the time available that will be required. But I have a > situation that > requires the need to drop any, and all requests from one single IP > address. > So I thought I might seize this situation as an opportunity to "get my > feet wet" with IPFW. So here's my question; > Is it possible for me to use IPFW without altering any traffic - > that is; > nothing changes on incoming/outgoing EXCEPT where this /evil/ IP is > concerned? > Or, can I start IPFW, and use it to ONLY drop all requests from this > /evil/ IP > no matter which ports that IP makes a request on? > I can? Can/would anyone be willing to tell me how? > Apologies in advance, I realize this is pretty "ground level stuff". > But I > feel if I could get a good start, getting up to speed from there > will be a > greatly shortened learning curve. > > Thank you for all your time and consideration. > > --Chris > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw- > unsubscribe@freebsd.org" > In order to use ipfw, you need to have it compiled into your kernel or you need to load the ipfw.so kernel module and then you need to enable filtering and finally you need to specify some rules to control the filtering. I am going to assume that you don't have ipfw compiled into your kernel and will need to load the kernel module. Probably the easiest way to get started is to define the following variables in /etc/rc.conf or /etc/rc.conf.local, your preference. firewall_enable="YES" firewall_type="OPEN" firewall_logging="YES" These directives enable ipfw, tell it to block nothing, and enables logging of blocked packets. You can then startup ipfw with the following command: # /etc/rc.d/ipfw start You can view the filtering rules that are installed with this command: # ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any The following discription of what happens is oversimplified but is accurate enough to get you started with ipfw. Each filter rule has a rule number. When a packet comes in, it is compared to each rule until there is a match. When there is a match, the specified action is carried out. In the rules above, the only action is allow or deny. There are other actions but you can learn about them later as you get more comfortable with ipfw. The first rule (100) allows all ip traffic that goes through the loopback interface to go on through. This basically says that anything on the machine that wants to talk to anything else on the machine via the loopback interface should be allowed to do it. The second rule (200) blocks anything whose destination ip is to the 127.0.0.0 network. The reason you want to block these packets is because legitimate network packets going to the 127.0.0.0 network should be on the lo0 interface. Those packets would have been matched by rule 100 and already allowed. They would never get to rule 200. So packets going to the 127.0.0.0 network but not on the lo0 interface are blocked. The third rule (300) is similar to rule 200 except that if blocks packets that have a source address on the 127.0.0.0 network that are not on the lo0 interface. Once again, legitimate packets coming from a 127.0.0.0 network address should be on lo0 and already allowed by rule 100. The fourth rule (65000) allows all ip packets with any source address and any destination address to go on through the filter. The fifth rule (65535) is installed by ipfw as the default rule. It blocks all ip packets that have not been explicitly allowed or blocked by previous rules. Once you have these rules in place, it is easy to add a rule to block traffic from the evil machine. Assuming that you want to block all ip traffic, including TCP, UDP, ICMP, etc., you can insert a rule after 300 and before 65000 to do this. # ipfw add 1000 deny log ip from www.xxx.yyy.zzz to any This defines a filter rule numbered 1000 that will be evaluated after rule 300. It will deny (drop) all ip packets with a source address of www.xxx.yyy.zzz and any destination address. It will also log this event to /var/log/security. If you don't want to log these packets, you can remove the word "log" from the above command. Viewing your rules should give you the following: # ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 01000 deny log ip from www.xxx.yyy.zzz to any 65000 allow ip from any to any 65535 deny ip from any to any This gives you an open firewall that only blocks packets from the evil machine and spoofed 127.0.0.0/8 packets. Kim -- Kim Shrier - principal, Shrier and Deihl - mailto:kim@tinker.com Remote Unix Network Admin, Security, Internet Software Development Tinker Internet Services - Superior FreeBSD-based Web Hosting http://www.tinker.com/ From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 18 23:28:53 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0BFF2106566B for ; Sun, 18 Jan 2009 23:28:53 +0000 (UTC) (envelope-from fbsdmail@dnswatch.com) Received: from fast.dnswatch.com (fast.dnswatch.com [75.160.109.234]) by mx1.freebsd.org (Postfix) with ESMTP id C06508FC16 for ; Sun, 18 Jan 2009 23:28:52 +0000 (UTC) (envelope-from fbsdmail@dnswatch.com) Received: from webmail.dnswatch.com (localhost.dnswatch.com [127.0.0.1]) by fast.dnswatch.com (8.14.2/8.14.2) with ESMTP id n0INSgA6033858; Sun, 18 Jan 2009 15:28:51 -0800 (PST) (envelope-from fbsdmail@dnswatch.com) Received: from hitme.hitometer.net ([75.160.109.235]) (DNSwatchWebMail authenticated user infos) by webmail.dnswatch.com with HTTP; Sun, 18 Jan 2009 15:28:51 -0800 (PST) Message-ID: <581b3767ad793d5bce046a42f6516798.dnswclient@webmail.dnswatch.com> In-Reply-To: <4A2B0C19-799B-4C09-A887-8FDC6AE0B019@tinker.com> References: <1528c4e04e7e0d186cf8a9d9c4974ad6.dnswclient@webmail.dnswatch.com> <4A2B0C19-799B-4C09-A887-8FDC6AE0B019@tinker.com> Date: Sun, 18 Jan 2009 15:28:51 -0800 (PST) From: fbsdmail@dnswatch.com To: "Kim Shrier" User-Agent: DNSwatchWebMail/1.5.2 [SVN] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org Subject: Re: possible to block one address on all ports? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2009 23:28:53 -0000 Greetings Kim, and thank you very much for such a concise overview... On Sun, January 18, 2009 1:57 pm, Kim Shrier wrote: > On Jan 18, 2009, at 1:38 AM, fbsdmail@dnswatch.com wrote: > > >> Greetings, >> I have what I hope is a simple question that I /hope/ has a simple >> option. Here's my scenario; My current filtering is done on an >> application/ service level. While I'm anxious to migrate this to IPFW, >> I'm don't >> yet have the time available that will be required. But I have a situation >> that requires the need to drop any, and all requests from one single IP >> address. So I thought I might seize this situation as an opportunity to >> "get my >> feet wet" with IPFW. So here's my question; Is it possible for me to use >> IPFW without altering any traffic - >> that is; nothing changes on incoming/outgoing EXCEPT where this /evil/ IP >> is concerned? Or, can I start IPFW, and use it to ONLY drop all requests >> from this /evil/ IP >> no matter which ports that IP makes a request on? I can? Can/would anyone >> be willing to tell me how? Apologies in advance, I realize this is >> pretty "ground level stuff". But I >> feel if I could get a good start, getting up to speed from there will be >> a greatly shortened learning curve. >> >> Thank you for all your time and consideration. >> >> >> --Chris >> >> >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw- >> unsubscribe@freebsd.org" >> > > > In order to use ipfw, you need to have it compiled into your kernel or > you need to load the ipfw.so kernel module and then you need to enable > filtering and finally you need to specify some rules to control the > filtering. > > I am going to assume that you don't have ipfw compiled into your kernel > and will need to load the kernel module. > > Probably the easiest way to get started is to define the following > variables in /etc/rc.conf or /etc/rc.conf.local, your preference. > > firewall_enable="YES" firewall_type="OPEN" firewall_logging="YES" > > These directives enable ipfw, tell it to block nothing, and enables > logging of blocked packets. You can then startup ipfw with the following > command: > > > # /etc/rc.d/ipfw start > > > You can view the filtering rules that are installed with this command: > > > # ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > > The following discription of what happens is oversimplified but is > accurate enough to get you started with ipfw. Each filter rule has a rule > number. When a packet comes in, it is compared to each rule until there is > a match. When there is a match, the specified action is carried out. In > the rules above, the only action is allow or deny. There are other actions > but you can learn about them later as you get more comfortable with ipfw. > > The first rule (100) allows all ip traffic that goes through the > loopback interface to go on through. This basically says that anything on > the machine that wants to talk to anything else on the machine via the > loopback interface should be allowed to do it. > > The second rule (200) blocks anything whose destination ip is to the > 127.0.0.0 > network. The reason you want to block these packets is because legitimate > network packets going to the 127.0.0.0 network should be on the lo0 > interface. Those packets would have been matched by rule 100 and already > allowed. They would never get to rule 200. So packets going to the > 127.0.0.0 > network but not on the lo0 interface are blocked. > > The third rule (300) is similar to rule 200 except that if blocks > packets that have a source address on the 127.0.0.0 network that are not on > the lo0 interface. Once again, legitimate packets coming from a > 127.0.0.0 > network address should be on lo0 and already allowed by rule 100. > > The fourth rule (65000) allows all ip packets with any source address > and any destination address to go on through the filter. > > The fifth rule (65535) is installed by ipfw as the default rule. It > blocks all ip packets that have not been explicitly allowed or blocked by > previous rules. > > Once you have these rules in place, it is easy to add a rule to block > traffic from the evil machine. Assuming that you want to block all ip > traffic, including TCP, UDP, ICMP, etc., you can insert a rule after 300 > and before 65000 to do this. > > > # ipfw add 1000 deny log ip from www.xxx.yyy.zzz to any > > > This defines a filter rule numbered 1000 that will be evaluated after > rule 300. It will deny (drop) all ip packets with a source address of > www.xxx.yyy.zzz and any destination address. It will also log this event to > /var/log/security. If you don't want to log these packets, you can > remove the word "log" from the above command. > > Viewing your rules should give you the following: > > > # ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 01000 deny log ip from www.xxx.yyy.zzz to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > > This gives you an open firewall that only blocks packets from the evil > machine and spoofed 127.0.0.0/8 packets. I find I'm only left with one question; If my box is assigned an internet routable IP (not a private IP), which address should take precedence? In other words, knowing that IPFW works "top down", or "first match". How would/should I add my internet routable IP (assuming I should). Or should I simply replace 127.0.0.1 with my internet routable IP as shown in your example? I see you have posted another reply. I'll see if you've already addressed my question in that reply. :) Thank you again for taking the time to be so helpful. Best wishes. --Chris > > Kim > > > -- > Kim Shrier - principal, Shrier and Deihl - mailto:kim@tinker.com > Remote Unix Network Admin, Security, Internet Software Development > Tinker Internet Services - Superior FreeBSD-based Web Hosting > http://www.tinker.com/ > > > > From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 19 00:42:23 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 460DE1065670 for ; Mon, 19 Jan 2009 00:42:23 +0000 (UTC) (envelope-from kim@tinker.com) Received: from mail2.tinker.com (2-55-228-66.tinker.com [66.228.55.2]) by mx1.freebsd.org (Postfix) with ESMTP id 27B508FC16 for ; Mon, 19 Jan 2009 00:42:22 +0000 (UTC) (envelope-from kim@tinker.com) Received: from sneffels.tinker.com (204.16.225.169.tinker.com [204.16.225.169]) by mail2.tinker.com (Postfix) with ESMTP id 3A10B873A9E; Sun, 18 Jan 2009 18:42:20 -0600 (CST) Message-Id: From: Kim Shrier To: fbsdmail@dnswatch.com In-Reply-To: <581b3767ad793d5bce046a42f6516798.dnswclient@webmail.dnswatch.com> Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Sun, 18 Jan 2009 17:42:19 -0700 References: <1528c4e04e7e0d186cf8a9d9c4974ad6.dnswclient@webmail.dnswatch.com> <4A2B0C19-799B-4C09-A887-8FDC6AE0B019@tinker.com> <581b3767ad793d5bce046a42f6516798.dnswclient@webmail.dnswatch.com> X-Mailer: Apple Mail (2.930.3) Cc: freebsd-ipfw@freebsd.org Subject: Re: possible to block one address on all ports? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2009 00:42:23 -0000 On Jan 18, 2009, at 4:28 PM, fbsdmail@dnswatch.com wrote: > Greetings Kim, and thank you very much for such a concise overview... > ... snip ... > > I find I'm only left with one question; > If my box is assigned an internet routable IP (not a private IP), > which address should take precedence? In other words, knowing that > IPFW works "top down", or "first match". How would/should I add my > internet routable IP (assuming I should). Or should I simply replace > 127.0.0.1 with my internet routable IP as shown in your example? > > I see you have posted another reply. I'll see if you've already > addressed my question in that reply. :) > > Thank you again for taking the time to be so helpful. > > Best wishes. > > --Chris > You don't need to do anything for your routable IP address. Packets going to and coming from that IP will be matched by rule 65000 and go on through the filter. Also, you don't want to change rules 100 through 300 regardless of the IP address of your interface. I don't know what you are doing with your machine but you can look at the rules inserted by the WORKSTATION or SIMPLE firewall configurations to see how to do more sophisticated filtering. I also recommend the book, "Building Internet Firewalls" by Chapman and Zwicky to learn more about packet filtering. Kim -- Kim Shrier - principal, Shrier and Deihl - mailto:kim@tinker.com Remote Unix Network Admin, Security, Internet Software Development Tinker Internet Services - Superior FreeBSD-based Web Hosting http://www.tinker.com/ From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 19 11:07:00 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FDB51065673 for ; Mon, 19 Jan 2009 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0CDB98FC19 for ; Mon, 19 Jan 2009 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n0JB6xK4062996 for ; Mon, 19 Jan 2009 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n0JB6xUj062992 for freebsd-ipfw@FreeBSD.org; Mon, 19 Jan 2009 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 19 Jan 2009 11:06:59 GMT Message-Id: <200901191106.n0JB6xUj062992@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2009 11:07:00 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 52 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 20 16:07:24 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8BBEC106566C for ; Tue, 20 Jan 2009 16:07:24 +0000 (UTC) (envelope-from arkadietz@yahoo.com) Received: from web51910.mail.re2.yahoo.com (web51910.mail.re2.yahoo.com [206.190.48.73]) by mx1.freebsd.org (Postfix) with SMTP id 3908F8FC08 for ; Tue, 20 Jan 2009 16:07:23 +0000 (UTC) (envelope-from arkadietz@yahoo.com) Received: (qmail 49438 invoked by uid 60001); 20 Jan 2009 15:40:43 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type:Message-ID; b=QgejN4sJHIGz/xfMigNrPWSoBFO7EBhyeNfjY6zSwnROactgE/VljUi15v5MBguufkl83aE+oZsFmIkm1jcLdIVWihhSVog0zUPFxJ89TsDuZvI2dSv398EBlxLl54eq4O8eM48W37KHrHVDYncVxxyp/DzfxIA2TWLKfpAYvl8=; X-YMail-OSG: ap5b6wQVM1kq0yEWEwvi3BlnPA0HnQTyV08bKzHdryvv4BysOjo2eSz30RKwajL2gputxuLUmkNMAVuJnxgRANCcNnu85V3yjmv80Jvp_hIlvR.2V4nuP5fAIEj53ecZjgy2Ou6R73KKOlm6YHfdCVhGoLB.mbiXb3G03hJUaWy0.I6XP1P4RxQxN7TTzIgQN9DgD2oqlOd7.f0Etb8HDHX2 Received: from [83.228.93.46] by web51910.mail.re2.yahoo.com via HTTP; Tue, 20 Jan 2009 07:40:43 PST X-Mailer: YahooMailWebService/0.7.260.1 Date: Tue, 20 Jan 2009 07:40:43 -0800 (PST) From: Kiril Georgiev To: freebsd-net@freebsd.org MIME-Version: 1.0 Message-ID: <252793.48085.qm@web51910.mail.re2.yahoo.com> X-Mailman-Approved-At: Tue, 20 Jan 2009 17:18:04 +0000 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Question :) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: arkadietz@yahoo.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2009 16:07:25 -0000 Hello! I want to ask you have equivalent commands in FreeBSD and if what th= ey are. Commands that are talking ip rou, ip roule.Also want to know if Fre= eBSD is doing better than Linux Kernel 2.6.8 in the role of Bridge, Router, VPN and quality of some PPOE hub. Interested if FreeBSD is doing better than Linux. And say how pps / mbit / gigabyte packages may adopt or failure for a second. The idea is this to say that I have internet service provider and have a link from 500mb / s if FreeBSD will cope better with this. Example of one of the things that are referred to ask below.If you can do some tests and comparisons will be very grateful.This is very important to me and is of great importance. Example: ip rou add 192.168.0.0/24 via 10.0.0.1 table fake ip rule add from 192.168.0.0/24 table fake ip rule add from 192.168.0.0/24 table fake pref 12000 These examples say what will appear to IPFW. If you can do something. --- When you dream there are no rules, people can fly, anything can happen. Som= etimes there is a moment as you are awakening when you become aware of the = real world around you, but you are still dreaming. You may think you can fl= y but you do better not try. People can fly. Arkadietz cOrp. =A9 2000-2008, Inc.= =0A=0A=0A