From owner-freebsd-ipfw@FreeBSD.ORG Sun May 9 01:17:00 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A45416A4CE for ; Sun, 9 May 2004 01:17:00 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2960B43D2D for ; Sun, 9 May 2004 01:17:00 -0700 (PDT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i498Gxgd053698; Sun, 9 May 2004 01:16:59 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i498Gx0i053697; Sun, 9 May 2004 01:16:59 -0700 (PDT) (envelope-from rizzo) Date: Sun, 9 May 2004 01:16:59 -0700 From: Luigi Rizzo To: "Louis A. Mamakos" Message-ID: <20040509011659.A52837@xorpc.icir.org> References: <104341060709.20040505171307@vkt.lt> <20040505194451.V9766@lath.rinet.ru> <20040506153815.A75812@xorpc.icir.org> <20040507024206.B61144@xorpc.icir.org> <20040507150212.P5201@lath.rinet.ru> <20040509020814.61BB120F78@whizzo.transsys.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20040509020814.61BB120F78@whizzo.transsys.com>; from louie@transsys.com on Sat, May 08, 2004 at 10:08:14PM -0400 cc: freebsd-ipfw@freebsd.org cc: Oleg Bulyzhin Subject: Re: ipfw: ouch!, skip past end of rules, denying packet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 May 2004 08:17:00 -0000 On Sat, May 08, 2004 at 10:08:14PM -0400, Louis A. Mamakos wrote: > > Not to hijack the thread here, but if you're looking at this code, it > would be nice if the logic that the ipfw "queue" command used was > similar to "divert"; where processing picks up at the next higher > rule number rather than the next rule (which might be numbered the > same.) actually i don't think the 'divert' behaviour was intentional, but just a side effect of the fact that the only visible rule identifier in userland is the rule number, and so you couldn't do otherwise. For dummynet pipes the situation is different as you remain in the kernel as packets remain in the kernel so you can keep track correctly of the matching rule and locate the next one. I understand that what you propose can be used to implement a 'switch' block, but i wonder if changing the behaviour now wouldn't break POLA... cheers luigi > I'd like to have a bunch of queue commands in a row (perhaps with less > specific matching criteria in successive rules) and know that if they're > all numbered the same, only the first one will match. > > louie From owner-freebsd-ipfw@FreeBSD.ORG Sun May 9 04:53:57 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8123616A4CE for ; Sun, 9 May 2004 04:53:57 -0700 (PDT) Received: from rekin6.o2.pl (rekin6.o2.pl [212.126.20.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id D792443D1F for ; Sun, 9 May 2004 04:53:56 -0700 (PDT) (envelope-from mumija@o2.pl) Received: from poczta.o2.pl (rekin6.go2.pl [127.0.0.1]) by rekin6.o2.pl (o2.pl Mailer 2.0.1) with ESMTP id D1A90D0B76 for ; Sun, 9 May 2004 13:53:52 +0200 (CEST) From: =?iso-8859-2?Q?Mistery_X?= To: freebsd-ipfw@freebsd.org Date: Sun, 9 May 2004 13:53:52 +0200 Content-Type: text/plain; charset="iso-8859-2"; Content-Transfer-Encoding: 8bit X-Mailer: o2.pl WebMail v5.06 X-Originator: 62.244.138.104 Message-Id: <20040509115352.D1A90D0B76@rekin6.o2.pl> Subject: Help needed in correcting IFPW2 ruleset X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 May 2004 11:53:57 -0000 Hi, Im newbie in IPFW bsd firewall so I wanted to ask that anybody can check my rules (below) if they are out of rubbish and fairly secure. System is not protecting any network, just himself, he has to be able to send DHCP questions, DNS questions (i dont have bind on him), also he serve www page, and has to allow people to log in vi ssh2 and use smtp, pop3 and irc. I think, thats all. Please take a while and give me some (if any needed) suggestions on this rules security and functionality. Thanks a lot for any help & comments!! IPFW Rules: #loopback na lo0 add 100 pass all from any to any via lo0 add 110 deny all from any to 127.0.0.0/8 add 120 deny ip from 127.0.0.0/8 to any #anti spoof add 200 deny all from 10.0.0.0/8 to any via fxp0 add 210 deny all from 172.16.0.0/12 to any via fxp0 add 220 deny all from 192.168.0.0/16 to any via fxp0 add 230 deny all from 169.254.0.0/16 to any via fxp0 add 240 deny all from 192.0.2.0/24 to any via fxp0 add 250 deny all from 224.0.0.0/4 to any via fxp0 add 260 deny all from 240.0.0.0/4 to any via fxp0 #ruleset add 300 pass tcp from any to any established add 310 pass all from any to any frag add 320 pass all from any to me 25 setup add 330 pass udp from me 53 to any via fxp0 add 340 pass tcp from any to me 80 setup add 350 deny log tcp from any to any via fxp0 setup add 360 pass tcp from any to any setup #reject rest add 65000 deny all from anty to any vi any Best regards, mumija. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 10 11:01:58 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CAAA16A4CE for ; Mon, 10 May 2004 11:01:58 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id F120E43D3F for ; Mon, 10 May 2004 11:01:57 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i4AI1v1h096162 for ; Mon, 10 May 2004 11:01:57 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i4AI1vEV096156 for ipfw@freebsd.org; Mon, 10 May 2004 11:01:57 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 10 May 2004 11:01:57 -0700 (PDT) Message-Id: <200405101801.i4AI1vEV096156@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 May 2004 18:01:58 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2004/03/03] misc/63724 ipfw IPFW2 Queues dont t work o [2004/03/13] kern/64240 ipfw IPFW tee terminates rule processing 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/29] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/01/12] kern/61259 ipfw [patch] make "ipfw tee" work as intended o [2004/02/09] kern/62598 ipfw no logging on ipfw loadable module o [2004/03/08] kern/63961 ipfw ipfw2 uid matching doesn't work correctly 13 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Thu May 13 01:01:12 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CBF916A4CE; Thu, 13 May 2004 01:01:12 -0700 (PDT) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19A3143D1D; Thu, 13 May 2004 01:01:10 -0700 (PDT) (envelope-from eugen@kuzbass.ru) Received: from kuzbass.ru (kost [213.184.65.82])i4D8127s095990; Thu, 13 May 2004 16:01:02 +0800 (KRAST) (envelope-from eugen@kuzbass.ru) Message-ID: <40A3393F.1391943E@kuzbass.ru> Date: Thu, 13 May 2004 17:00:47 +0800 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.8 [en] (Win98; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: net@freebsd.org Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit cc: ipfw@freebsd.org Subject: ipfw: reset tcp X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 08:01:12 -0000 Hi! When a rule 'reset tcp' matches, a kernel generates new TCP packet. Will it have to go through ipfw list (from the beginning or not)? Eugene Grosbein From owner-freebsd-ipfw@FreeBSD.ORG Thu May 13 01:23:45 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 846D816A4CE; Thu, 13 May 2004 01:23:45 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4309A43D53; Thu, 13 May 2004 01:23:45 -0700 (PDT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i4D8Nigd015420; Thu, 13 May 2004 01:23:44 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i4D8Nie5015419; Thu, 13 May 2004 01:23:44 -0700 (PDT) (envelope-from rizzo) Date: Thu, 13 May 2004 01:23:44 -0700 From: Luigi Rizzo To: Eugene Grosbein Message-ID: <20040513012344.A12373@xorpc.icir.org> References: <40A3393F.1391943E@kuzbass.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <40A3393F.1391943E@kuzbass.ru>; from eugen@kuzbass.ru on Thu, May 13, 2004 at 05:00:47PM +0800 cc: ipfw@freebsd.org cc: net@freebsd.org Subject: Re: ipfw: reset tcp X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 08:23:45 -0000 On Thu, May 13, 2004 at 05:00:47PM +0800, Eugene Grosbein wrote: > Hi! > > When a rule 'reset tcp' matches, a kernel generates new TCP packet. > Will it have to go through ipfw list (from the beginning or not)? ipfw2 uses an mbuf flag to bypass the firewall - I am not sure if i only used it for the keepalives or also for TCP reset packets cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Thu May 13 01:32:05 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BF9316A4CE; Thu, 13 May 2004 01:32:05 -0700 (PDT) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9E3443D45; Thu, 13 May 2004 01:32:03 -0700 (PDT) (envelope-from eugen@kuzbass.ru) Received: from kuzbass.ru (kost [213.184.65.82])i4D8W1A9098468; Thu, 13 May 2004 16:32:01 +0800 (KRAST) (envelope-from eugen@kuzbass.ru) Message-ID: <40A34082.F0182B31@kuzbass.ru> Date: Thu, 13 May 2004 17:31:46 +0800 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.8 [en] (Win98; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: Luigi Rizzo References: <40A3393F.1391943E@kuzbass.ru> <20040513012344.A12373@xorpc.icir.org> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit cc: ipfw@freebsd.org cc: net@freebsd.org Subject: Re: ipfw: reset tcp X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 08:32:05 -0000 Luigi Rizzo wrote: > > When a rule 'reset tcp' matches, a kernel generates new TCP packet. > > Will it have to go through ipfw list (from the beginning or not)? > > ipfw2 uses an mbuf flag to bypass the firewall - I am not sure if i > only used it for the keepalives or also for TCP reset packets Please check. I suspect it does not enter ipfw itself, it is not processed by my natd and bad things happen here. Eugene From owner-freebsd-ipfw@FreeBSD.ORG Thu May 13 01:35:45 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88C2216A4CE; Thu, 13 May 2004 01:35:45 -0700 (PDT) Received: from cell.sick.ru (cell.sick.ru [217.72.144.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9207443D2D; Thu, 13 May 2004 01:35:44 -0700 (PDT) (envelope-from glebius@cell.sick.ru) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.12.9/8.12.8) with ESMTP id i4D8Zgvw031414 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 13 May 2004 12:35:43 +0400 (MSD) (envelope-from glebius@cell.sick.ru) Received: (from glebius@localhost) by cell.sick.ru (8.12.9/8.12.6/Submit) id i4D8Zg0S031413; Thu, 13 May 2004 12:35:42 +0400 (MSD) Date: Thu, 13 May 2004 12:35:42 +0400 From: Gleb Smirnoff To: Eugene Grosbein Message-ID: <20040513083542.GD31159@cell.sick.ru> References: <40A3393F.1391943E@kuzbass.ru> <20040513012344.A12373@xorpc.icir.org> <40A34082.F0182B31@kuzbass.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <40A34082.F0182B31@kuzbass.ru> User-Agent: Mutt/1.5.6i cc: Luigi Rizzo cc: ipfw@freebsd.org cc: net@freebsd.org Subject: Re: ipfw: reset tcp X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 08:35:45 -0000 On Thu, May 13, 2004 at 05:31:46PM +0800, Eugene Grosbein wrote: E> > > When a rule 'reset tcp' matches, a kernel generates new TCP packet. E> > > Will it have to go through ipfw list (from the beginning or not)? E> > E> > ipfw2 uses an mbuf flag to bypass the firewall - I am not sure if i E> > only used it for the keepalives or also for TCP reset packets E> E> Please check. I suspect it does not enter ipfw itself, E> it is not processed by my natd and bad things happen here. According to send_pkt() in ip_fw2.c it does not pass firewall, since M_SKIP_FIREWALL is set. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-ipfw@FreeBSD.ORG Thu May 13 01:37:17 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E144316A4CE; Thu, 13 May 2004 01:37:17 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3FF443D45; Thu, 13 May 2004 01:37:17 -0700 (PDT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i4D8bHgd016823; Thu, 13 May 2004 01:37:17 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i4D8bHqH016822; Thu, 13 May 2004 01:37:17 -0700 (PDT) (envelope-from rizzo) Date: Thu, 13 May 2004 01:37:17 -0700 From: Luigi Rizzo To: Eugene Grosbein Message-ID: <20040513013717.A16394@xorpc.icir.org> References: <40A3393F.1391943E@kuzbass.ru> <20040513012344.A12373@xorpc.icir.org> <40A34082.F0182B31@kuzbass.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <40A34082.F0182B31@kuzbass.ru>; from eugen@kuzbass.ru on Thu, May 13, 2004 at 05:31:46PM +0800 cc: ipfw@freebsd.org cc: net@freebsd.org Subject: Re: ipfw: reset tcp X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 08:37:18 -0000 On Thu, May 13, 2004 at 05:31:46PM +0800, Eugene Grosbein wrote: > Luigi Rizzo wrote: > > > > When a rule 'reset tcp' matches, a kernel generates new TCP packet. > > > Will it have to go through ipfw list (from the beginning or not)? > > > > ipfw2 uses an mbuf flag to bypass the firewall - I am not sure if i > > only used it for the keepalives or also for TCP reset packets > > Please check. I suspect it does not enter ipfw itself, yes it does skip the firewall, see ip_fw2.c:send_pkt() near the end: ip_rtaddr(ip->ip_dst, &sro); ---> m->m_flags |= M_SKIP_FIREWALL; ip_output(m, NULL, &sro, 0, NULL, NULL); removing the M_SKIP_FIREWALL would let ipfw process the packet too. HOWEVER: i think it is a bug in the general case to reprocess internally-generated packet, because you would rely on a correct ipfw configuration to avoid loops (which might not be the case). I have no idea how ipfw1 used to do (and i am not goin to check!) but i don't think the generated packet did reenter the firewall. cheers luigi > it is not processed by my natd and bad things happen here. > > Eugene From owner-freebsd-ipfw@FreeBSD.ORG Thu May 13 01:55:23 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D9BF16A4F9; Thu, 13 May 2004 01:55:23 -0700 (PDT) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08A3343D2F; Thu, 13 May 2004 01:55:22 -0700 (PDT) (envelope-from eugen@kuzbass.ru) Received: from kuzbass.ru (kost [213.184.65.82])i4D8tKIE000179; Thu, 13 May 2004 16:55:20 +0800 (KRAST) (envelope-from eugen@kuzbass.ru) Message-ID: <40A345F9.1460F5C4@kuzbass.ru> Date: Thu, 13 May 2004 17:55:05 +0800 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.8 [en] (Win98; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: Luigi Rizzo References: <40A3393F.1391943E@kuzbass.ru> <20040513012344.A12373@xorpc.icir.org> <40A34082.F0182B31@kuzbass.ru> <20040513013717.A16394@xorpc.icir.org> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit cc: ipfw@freebsd.org cc: net@freebsd.org Subject: Re: ipfw: reset tcp X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 08:55:23 -0000 Luigi Rizzo wrote: > > Please check. I suspect it does not enter ipfw itself, > > yes it does skip the firewall, see ip_fw2.c:send_pkt() near the > end: > > ip_rtaddr(ip->ip_dst, &sro); > ---> m->m_flags |= M_SKIP_FIREWALL; > ip_output(m, NULL, &sro, 0, NULL, NULL); > > removing the M_SKIP_FIREWALL would let ipfw process the > packet too. HOWEVER: i think it is a bug in the general case > to reprocess internally-generated packet, because you would rely > on a correct ipfw configuration to avoid loops (which might not > be the case). > > I have no idea how ipfw1 used to do (and i am not goin to check!) > but i don't think the generated packet did reenter the firewall. I use ipfw2. Please make it possible (using sysctl or any other mean) to disable M_SKIP_FIREWALL for such packets (I suppose 'unreach' rules are affected too). I DO need to process ALL outgoing packets. For exapmle, I must use 'ipfw fwd' (to implement policy routing) for the packets with source IP like this. Eugene From owner-freebsd-ipfw@FreeBSD.ORG Thu May 13 02:11:38 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F10C16A4CE; Thu, 13 May 2004 02:11:38 -0700 (PDT) Received: from cell.sick.ru (cell.sick.ru [217.72.144.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id B69ED43D5A; Thu, 13 May 2004 02:11:36 -0700 (PDT) (envelope-from glebius@cell.sick.ru) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.12.9/8.12.8) with ESMTP id i4D9BYvw031677 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 13 May 2004 13:11:35 +0400 (MSD) (envelope-from glebius@cell.sick.ru) Received: (from glebius@localhost) by cell.sick.ru (8.12.9/8.12.6/Submit) id i4D9BYhw031676; Thu, 13 May 2004 13:11:34 +0400 (MSD) Date: Thu, 13 May 2004 13:11:34 +0400 From: Gleb Smirnoff To: Eugene Grosbein Message-ID: <20040513091134.GA31609@cell.sick.ru> References: <40A3393F.1391943E@kuzbass.ru> <20040513012344.A12373@xorpc.icir.org> <40A34082.F0182B31@kuzbass.ru> <20040513013717.A16394@xorpc.icir.org> <40A345F9.1460F5C4@kuzbass.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <40A345F9.1460F5C4@kuzbass.ru> User-Agent: Mutt/1.5.6i cc: Luigi Rizzo cc: ipfw@freebsd.org cc: net@freebsd.org Subject: Re: ipfw: reset tcp X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 09:11:38 -0000 On Thu, May 13, 2004 at 05:55:05PM +0800, Eugene Grosbein wrote: E> Please make it possible (using sysctl or any other mean) to E> disable M_SKIP_FIREWALL for such packets (I suppose 'unreach' rules E> are affected too). I DO need to process ALL outgoing packets. E> For exapmle, I must use 'ipfw fwd' (to implement policy routing) E> for the packets with source IP like this. Better idea is to separate policy routing decisions from packet filter. However, implementing this is much more difficult, than just removing one string from send_pkt(). -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-ipfw@FreeBSD.ORG Thu May 13 06:48:58 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2349516A4CE; Thu, 13 May 2004 06:48:58 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE6DB43D2D; Thu, 13 May 2004 06:48:57 -0700 (PDT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i4DDmvgd045189; Thu, 13 May 2004 06:48:57 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i4DDmucg045188; Thu, 13 May 2004 06:48:56 -0700 (PDT) (envelope-from rizzo) Date: Thu, 13 May 2004 06:48:56 -0700 From: Luigi Rizzo To: Eugene Grosbein Message-ID: <20040513064856.B42908@xorpc.icir.org> References: <40A3393F.1391943E@kuzbass.ru> <20040513012344.A12373@xorpc.icir.org> <40A34082.F0182B31@kuzbass.ru> <20040513013717.A16394@xorpc.icir.org> <40A345F9.1460F5C4@kuzbass.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <40A345F9.1460F5C4@kuzbass.ru>; from eugen@kuzbass.ru on Thu, May 13, 2004 at 05:55:05PM +0800 cc: ipfw@freebsd.org cc: net@freebsd.org Subject: Re: ipfw: reset tcp X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 13:48:58 -0000 On Thu, May 13, 2004 at 05:55:05PM +0800, Eugene Grosbein wrote: ... > > removing the M_SKIP_FIREWALL would let ipfw process the > > packet too. HOWEVER: i think it is a bug in the general case > > to reprocess internally-generated packet, because you would rely > > on a correct ipfw configuration to avoid loops (which might not > > be the case). > > > > I have no idea how ipfw1 used to do (and i am not goin to check!) > > but i don't think the generated packet did reenter the firewall. > > I use ipfw2. > > Please make it possible (using sysctl or any other mean) to > disable M_SKIP_FIREWALL for such packets (I suppose 'unreach' rules > are affected too). I DO need to process ALL outgoing packets. > For exapmle, I must use 'ipfw fwd' (to implement policy routing) > for the packets with source IP like this. ok the situation is the following: 1.- unreach rules send packets through send_reject() which in turn calls icmp_error() which in turn goes through the firewall; This is safe because ipfw2 will not generate an ICMP reject in response to an ICMP packets so loops are avoided; 2.- all other firewall-generated TCP packets (rst and keepalives) go through send_pkt() and then bypass the firewall. The only way we could safely go through the firewall again is to make sure that we never send a RST in response to a RST (need to add an additional check in O_REJECT). Give me a few days (i.e. ping me again on monday!) to come up with a safe patch to do this, which does not rely on the programmer to DTRT and avoid loops. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Thu May 13 06:55:44 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4667C16A4CE; Thu, 13 May 2004 06:55:44 -0700 (PDT) Received: from grosbein.pp.ru (grgw.svzserv.kemerovo.su [213.184.64.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5781643D55; Thu, 13 May 2004 06:55:42 -0700 (PDT) (envelope-from eugen@grosbein.pp.ru) Received: from grosbein.pp.ru (eugen@localhost [127.0.0.1]) by grosbein.pp.ru (8.12.11/8.12.11) with ESMTP id i4DDtdZh013245; Thu, 13 May 2004 21:55:39 +0800 (KRAST) (envelope-from eugen@grosbein.pp.ru) Received: (from eugen@localhost) by grosbein.pp.ru (8.12.11/8.12.11/Submit) id i4DDtdsT013244; Thu, 13 May 2004 21:55:39 +0800 (KRAST) (envelope-from eugen) Date: Thu, 13 May 2004 21:55:39 +0800 From: Eugene Grosbein To: Luigi Rizzo Message-ID: <20040513135539.GA13211@grosbein.pp.ru> References: <40A3393F.1391943E@kuzbass.ru> <20040513012344.A12373@xorpc.icir.org> <40A34082.F0182B31@kuzbass.ru> <20040513013717.A16394@xorpc.icir.org> <40A345F9.1460F5C4@kuzbass.ru> <20040513064856.B42908@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040513064856.B42908@xorpc.icir.org> User-Agent: Mutt/1.4.1i cc: ipfw@freebsd.org cc: net@freebsd.org Subject: Re: ipfw: reset tcp X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 May 2004 13:55:44 -0000 On Thu, May 13, 2004 at 06:48:56AM -0700, Luigi Rizzo wrote: > 2.- all other firewall-generated TCP packets (rst and keepalives) > go through send_pkt() and then bypass the firewall. > The only way we could safely go through the firewall again is > to make sure that we never send a RST in response to a RST (need > to add an additional check in O_REJECT). > > Give me a few days (i.e. ping me again on monday!) to come up with > a safe patch to do this, which does not rely on the programmer to > DTRT and avoid loops. Thanks a lot! Eugene From owner-freebsd-ipfw@FreeBSD.ORG Fri May 14 02:46:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB90316A4CE for ; Fri, 14 May 2004 02:46:30 -0700 (PDT) Received: from smtp1.euronet.nl (smtp1.euronet.nl [194.134.35.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FF2D43D41 for ; Fri, 14 May 2004 02:46:30 -0700 (PDT) (envelope-from freebsd@vsm-hosting.nl) Received: from SJAAK (bmr-d8e8.mxs.adsl.euronet.nl [81.68.246.232]) by smtp1.euronet.nl (Postfix) with SMTP id F2A1F6716F for ; Fri, 14 May 2004 11:46:28 +0200 (MEST) Message-ID: <015801c4398f$37ddb600$2268a8c0@SJAAK> From: "Sjaak Nabuurs" To: Date: Fri, 14 May 2004 10:41:15 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: ipfw set move X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 May 2004 09:46:30 -0000 Hello Why or what's wrong with ipfw set move 2001 to 2000 the error messages it returns : ipfw invalid source number 2001 but any number is invalid What could be wrong using FreeBSD 5.2 Thnxs Sjaak From owner-freebsd-ipfw@FreeBSD.ORG Fri May 14 06:41:48 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BE6816A4CE for ; Fri, 14 May 2004 06:41:48 -0700 (PDT) Received: from linkexpress.com.br (mail.linkexpress.com.br [200.196.99.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB13943D2F for ; Fri, 14 May 2004 06:41:44 -0700 (PDT) (envelope-from marcos@casadosparafusos.com.br) Received: from proj02 (unknown [200.196.113.10]) by linkexpress.com.br (Postfix) with ESMTP id 03CEAD794C for ; Fri, 14 May 2004 10:59:16 -0300 (BRT) From: "Marcos Martins" To: Date: Fri, 14 May 2004 10:44:09 -0300 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 1 (Highest) X-MSMail-Priority: High X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: High X-yoursite-MailScanner-Information: Please contact the ISP for more information X-yoursite-MailScanner: Found to be clean Subject: Manual X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 May 2004 13:41:48 -0000 Where Can I get any kind of manual the IPFW? Thank's Marcos Martins --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.684 / Virus Database: 446 - Release Date: 13/05/04 From owner-freebsd-ipfw@FreeBSD.ORG Sat May 15 17:04:08 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D8A416A4CE for ; Sat, 15 May 2004 17:04:08 -0700 (PDT) Received: from web50804.mail.yahoo.com (web50804.mail.yahoo.com [206.190.38.113]) by mx1.FreeBSD.org (Postfix) with SMTP id 2653B43D3F for ; Sat, 15 May 2004 17:04:07 -0700 (PDT) (envelope-from wahwah_toh@yahoo.com) Message-ID: <20040516000406.23044.qmail@web50804.mail.yahoo.com> Received: from [220.209.103.109] by web50804.mail.yahoo.com via HTTP; Sat, 15 May 2004 17:04:06 PDT Date: Sat, 15 May 2004 17:04:06 -0700 (PDT) From: Candy To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 May 2004 00:04:08 -0000 Hi all, I am currently doing a project whereby I am required to tweak the ipfw parameters such as ip addresses, port number etc. I would like to check whether there are any APIs available for the ipfw to do this job? Or do you have any suggestions to how to tweak the values without the adminstrator to do it manually? I want the whole tweaking process to be automated. For example, when functionA passes the source and destination ip addresses to functionB (the action is "block" by default unless otherwise stated), functionB should be able to amend the ipfw parameters by some automated means. Hence I am looking for solutions to those automated means. Please help me with this. Thanks in advance. Regards, Candy --------------------------------- Do you Yahoo!? SBC Yahoo! - Internet access at a great low price.