From owner-freebsd-ipfw Sun Feb 24 11:30:18 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from dual.ms.mff.cuni.cz (www.freebsd.cz [195.113.19.84]) by hub.freebsd.org (Postfix) with ESMTP id 2CB2637B400 for ; Sun, 24 Feb 2002 11:30:13 -0800 (PST) Received: from dual.ms.mff.cuni.cz (dual.ms.mff.cuni.cz [195.113.19.84]) by dual.ms.mff.cuni.cz (8.11.6/8.11.1) with ESMTP id g1OJTvY21968; Sun, 24 Feb 2002 20:30:06 +0100 (CET) (envelope-from michal@FreeBSD.cz) Date: Sun, 24 Feb 2002 20:29:57 +0100 (CET) From: Michal Kutnohorsky X-X-Sender: michal@dual.ms.mff.cuni.cz To: FreeBSD user Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw, dummynet, weights, and ssh? In-Reply-To: <20020222031809.M37938-100000@Amber.XtremeDev.com> Message-ID: <20020224202551.A86332-100000@dual.ms.mff.cuni.cz> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hi, i think that all you need is to install ALTQ - http://www.csl.sony.co.jp/person/kjc/programs.html and use options PRIQ to make priority of packets there is txt file with good examples how to do it and some man pages On Fri, 22 Feb 2002, FreeBSD user wrote: > I'm trying to decipher ipfw syntax related to dummynet, and I'm not having > much luck. Basically all I want to do is give priority to all ssh > connections, both outbound and inbound. If the line is saturated I should > still be able to ssh in and out of my server, hopefully without too much > lag. Is this possible with ipfw/dummynet's WF2Q+ policies? And if so, any > examples you can provide would greatly help. Thanks in advance. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > -- michal -- Michal Kutnohorsky |\ -- -- michal at FreeBSD.cz .- -. -- -- icq 24864416 )\/ (( o\ -- -- http://www.FreeBSD.cz/~michal/ )/'''''--' -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Feb 24 11:40: 2 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from web14603.mail.yahoo.com (web14603.mail.yahoo.com [216.136.224.83]) by hub.freebsd.org (Postfix) with SMTP id 9F8A837B416 for ; Sun, 24 Feb 2002 11:39:58 -0800 (PST) Message-ID: <20020224193958.95528.qmail@web14603.mail.yahoo.com> Received: from [66.156.12.27] by web14603.mail.yahoo.com via HTTP; Sun, 24 Feb 2002 11:39:58 PST Date: Sun, 24 Feb 2002 11:39:58 -0800 (PST) From: Jerry Murdock Subject: Re: ipfw, dummynet, weights, and ssh? To: FreeBSD user , Sean Chittenden Cc: freebsd-ipfw@FreeBSD.ORG, Michael Sierchio , Luigi Rizzo MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ----- Original Message ----- From: "FreeBSD user" To: "Sean Chittenden" Cc: "Michael Sierchio" ; "Luigi Rizzo" ; Sent: Saturday, February 23, 2002 6:06 AM Subject: Re: ipfw, dummynet, weights, and ssh? > I don't understand how this is a bandwidth reservation issue. I simply > want ssh packets to receive priority over all other packets. Does this > mean I have to specifically set aside say, some amount of bandwidth even > if there are no ssh connects at the time? I don't understand the issue, I > guess, of what's involved in giving priority to ssh packets. Is it indeed > a bandwidth reservation issue, or is there no such thing as priority when > dealing with packets leaving and entering an interface? Btw. I'm on a > RADSL that's dynamic, so I have no idea at any given moment in time how > much bandwidth I've got from QWest. From their rep, they said anywhere > from 128kb to 1.2mb. Dunno if that's true or not, but I don't know if I > can simply say to ipfw, "I've got a 128kb pipe, set aside 5kb at all times > for ssh packets" > > Do I have to specify a bandwidth? > http://info.iet.unipi.it/~luigi/bsdcon01/dummynet/mgp00020.txt __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Feb 24 16: 0:54 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id D26AF37B421 for ; Sun, 24 Feb 2002 16:00:43 -0800 (PST) Received: (qmail 5510 invoked from network); 25 Feb 2002 00:00:42 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 25 Feb 2002 00:00:42 -0000 Message-ID: <3C797EAA.4090005@tenebras.com> Date: Sun, 24 Feb 2002 16:00:42 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.8) Gecko/20020218 X-Accept-Language: en-us MIME-Version: 1.0 To: Jerry Murdock Cc: FreeBSD user , Sean Chittenden , freebsd-ipfw@FreeBSD.ORG, Luigi Rizzo Subject: Re: ipfw, dummynet, weights, and ssh? References: <20020224193958.95528.qmail@web14603.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Jerry Murdock wrote: > http://info.iet.unipi.it/~luigi/bsdcon01/dummynet/mgp00020.txt Geez, that's the beauty of an example. It almost seems obvious. I vote for either adding it to the (already lengthy) man page, or perhaps including in a /usr/share/examples/ipfw/etc. One further question: is it possible to use separate queues of the same weight to insure fairness -- i.e. is there a round robin approach to queues of equal weight with backlogs? This would make sense when multiplexing data from different subnets -- I'd like to make sure that the three nets share bandwidth equally when the shared connection is at capacity, but to permit any to use all of the available bandwidth if the demand from the other nets isn't affected. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Feb 24 19: 1:24 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (f181.law7.hotmail.com [216.33.237.181]) by hub.freebsd.org (Postfix) with ESMTP id EBE7837B400 for ; Sun, 24 Feb 2002 19:01:22 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 24 Feb 2002 19:01:22 -0800 Received: from 143.106.200.17 by lw7fd.law7.hotmail.msn.com with HTTP; Mon, 25 Feb 2002 03:01:21 GMT X-Originating-IP: [143.106.200.17] From: "Luiz Morte Costa Junior" To: freebsd-ipfw@FreeBSD.ORG Date: Mon, 25 Feb 2002 00:01:21 -0300 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 25 Feb 2002 03:01:22.0252 (UTC) FILETIME=[B470A0C0:01C1BDA8] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG auth 3a47d9a9 subscribe freebsd-ipfw \ xapuri@hotmail.com _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Feb 24 20: 9:38 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from sithdroid.ns1.com.br (sithdroid.ns1.com.br [200.185.44.17]) by hub.freebsd.org (Postfix) with ESMTP id 6938F37B400 for ; Sun, 24 Feb 2002 20:09:32 -0800 (PST) Received: from ivan (20217.virtua.com.br [200.213.202.17] (may be forged)) by sithdroid.ns1.com.br (8.12.2/8.12.2) with SMTP id g1P49FeO002195 for ; Mon, 25 Feb 2002 01:09:18 -0300 (BRT) Message-ID: <000e01c1bcea$9ac5ada0$11cad5c8@mshome.net> From: "Ivan Coimbra" To: Subject: IPFW really doesn't work with non-local adresses!!! Date: Sun, 24 Feb 2002 01:20:32 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I am using FreeBSD 4.5, totally updated by the last RELENG_4. Internal Interface: 10.2.7.89 External Interface: 200.122.56.78 I need use the ipfw forward (NO NAT!!!), the packages cannot be changed, it has to maintain its original source! My active options in kernel are: options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_FORWARD net.inet.ip.forwarding: 1 Rules: su-2.05a #ipfw show 00100 20 1053 fwd 10.2.7.89,25 tcp from any to any 80 65535 20758 3155253 allow ip from any to any This works perfectly, because 10.2.7.89 are a local address!! But when I try with non-local addresses: su-2.05a #ipfw show 00100 20 1053 fwd 10.2.7.90,25 tcp from any to any 80 65535 20758 3155253 allow ip from any to any NOTHING WORKS!! PS: 10.2.7.90 are the same network! Can anybody help me?? There are days I don't get any answer! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Feb 24 21:24:37 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 6414437B417 for ; Sun, 24 Feb 2002 21:24:28 -0800 (PST) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g1P5OLQ88742; Sun, 24 Feb 2002 21:24:21 -0800 (PST) (envelope-from rizzo) Date: Sun, 24 Feb 2002 21:24:21 -0800 From: Luigi Rizzo To: Michael Sierchio Cc: Jerry Murdock , FreeBSD user , Sean Chittenden , freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw, dummynet, weights, and ssh? Message-ID: <20020224212421.A88678@iguana.icir.org> References: <20020224193958.95528.qmail@web14603.mail.yahoo.com> <3C797EAA.4090005@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3C797EAA.4090005@tenebras.com> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Feb 24, 2002 at 04:00:42PM -0800, Michael Sierchio wrote: > Jerry Murdock wrote: > > >http://info.iet.unipi.it/~luigi/bsdcon01/dummynet/mgp00020.txt > > Geez, that's the beauty of an example. It almost seems obvious. > I vote for either adding it to the (already lengthy) man page, > or perhaps including in a /usr/share/examples/ipfw/etc. > > One further question: is it possible to use separate queues of > the same weight to insure fairness -- i.e. is there a round robin > approach to queues of equal weight with backlogs? of course yes. Both for same and different weight. Ever wondered why this type of scheduling is called Weighted FAIR Queueing ? Now i understand that the manpage is rather concise on this particular topic, but turning it into a 40-pages tutorial on traffic management and scheduling would be equally bad for those just looking at the command syntax. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Feb 24 23:51:38 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 08A7137B400 for ; Sun, 24 Feb 2002 23:51:34 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020225075133.KNKJ2951.rwcrmhc53.attbi.com@blossom.cjclark.org>; Mon, 25 Feb 2002 07:51:33 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g1P7pWE50237; Sun, 24 Feb 2002 23:51:32 -0800 (PST) (envelope-from cjc) Date: Sun, 24 Feb 2002 23:51:32 -0800 From: "Crist J. Clark" To: Ivan Coimbra Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW really doesn't work with non-local adresses!!! Message-ID: <20020224235132.G83869@blossom.cjclark.org> References: <000e01c1bcea$9ac5ada0$11cad5c8@mshome.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000e01c1bcea$9ac5ada0$11cad5c8@mshome.net>; from ivan@sunline.com.br on Sun, Feb 24, 2002 at 01:20:32AM -0300 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Feb 24, 2002 at 01:20:32AM -0300, Ivan Coimbra wrote: > Hi, > > I am using FreeBSD 4.5, totally updated by the last RELENG_4. > Internal Interface: 10.2.7.89 > External Interface: 200.122.56.78 > I need use the ipfw forward (NO NAT!!!), the packages cannot be changed, it > has to maintain its original source! > My active options in kernel are: > options IPFIREWALL > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFIREWALL_FORWARD > net.inet.ip.forwarding: 1 > Rules: > su-2.05a #ipfw show > 00100 20 1053 fwd 10.2.7.89,25 tcp from any to any 80 > 65535 20758 3155253 allow ip from any to any > > This works perfectly, because 10.2.7.89 are a local address!! > > But when I try with non-local addresses: > su-2.05a #ipfw show > 00100 20 1053 fwd 10.2.7.90,25 tcp from any to any 80 > 65535 20758 3155253 allow ip from any to any > > NOTHING WORKS!! > > PS: 10.2.7.90 are the same network! > > Can anybody help me?? > There are days I don't get any answer! RTFM, fwd ipaddr[,port] Change the next-hop on matching packets to ipaddr, which can be an IP address in dotted quad or a host name. ... If the IP is not a local address then the port number (if specified) is ignored You cannot send packets to a different port on the remote machine. Since we are not modifying the packets in any way, how can you tell the remote machine to send the packet to a different port? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 25 19:50:39 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from pivsbh2.ms.com (pivsbh2.ms.com [199.89.64.104]) by hub.freebsd.org (Postfix) with ESMTP id 369CC37B400 for ; Mon, 25 Feb 2002 19:50:36 -0800 (PST) Received: from pivsbh2-idmz.ms.com (localhost [127.0.0.1]) by pivsbh2.ms.com (Postfix) with SMTP id B7747A82E for ; Mon, 25 Feb 2002 22:50:35 -0500 (EST) Received: from morganstanley.com (unknown [172.19.97.161]) by pivsbh2-idmz.ms.com (Postfix) with ESMTP id 6E1B097D2 for ; Mon, 25 Feb 2002 22:50:34 -0500 (EST) Message-ID: <3C7B0609.90D88A06@morganstanley.com> Date: Tue, 26 Feb 2002 11:50:33 +0800 From: Victor Tayer Reply-To: Victor.Tayer@morganstanley.com Organization: Morgan Stanley X-Mailer: Mozilla 4.76 [en]C-CCK-MCD MS4.76 V20001206.2 (WinNT; U) X-Accept-Language: en,ja MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: ipfw and transparent proxy... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hello, i have been using ipfw/nat for quite some time now and is very satisfied with its performance. just wondering how can i use transparent proxy when i'm also running natd on the same fbsd box. my box has 2 nics. my internal network is 192.168.0.0/24 and a static public ip. the box is running natd which works fine. can i do this setup with ipfw or ipfilter? any sample config is greatly appreciated. tnx in advance. :P victor "jett" tayer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 25 23:40:31 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from tesla.foo.is (tesla.reverse-bias.org [217.151.166.96]) by hub.freebsd.org (Postfix) with ESMTP id 95DD937B402 for ; Mon, 25 Feb 2002 23:40:25 -0800 (PST) Received: from germanium (germanium.reverse-bias.org [192.168.1.1]) by tesla.foo.is (Postfix) with SMTP id A34E42739; Tue, 26 Feb 2002 07:40:14 +0000 (GMT) Content-Type: text/plain; charset="iso-8859-1" From: Baldur Gislason To: Victor.Tayer@morganstanley.com Subject: Re: ipfw and transparent proxy... Date: Tue, 26 Feb 2002 07:39:59 +0000 X-Mailer: KMail [version 1.2] References: <3C7B0609.90D88A06@morganstanley.com> In-Reply-To: <3C7B0609.90D88A06@morganstanley.com> Cc: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Message-Id: <02022607395900.07860@germanium> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG put this before the divert rule(s) ipfw add fwd 127.0.0.1,3128 tcp from 192.168.0.0/24 to not 192.168.0.0/24 Where 3128 is the port, default Squid setting. Baldur On Tuesday 26 February 2002 03:50, you wrote: > hello, > > i have been using ipfw/nat for quite some time now and > is very satisfied with its performance. > > just wondering how can i use transparent proxy when i'm > also running natd on the same fbsd box. > > my box has 2 nics. my internal network is > 192.168.0.0/24 and a static public ip. > the box is running natd which works fine. > > can i do this setup with ipfw or ipfilter? any sample config is > greatly appreciated. > > tnx in advance. :P > > victor "jett" tayer > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Feb 26 9: 3: 7 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from uwa.unitedway.org (msmail.unitedway.org [208.253.57.6]) by hub.freebsd.org (Postfix) with ESMTP id A18BF37B400 for ; Tue, 26 Feb 2002 09:02:57 -0800 (PST) Received: by msmail.unitedway.org with Internet Mail Service (5.5.2653.19) id ; Tue, 26 Feb 2002 12:02:56 -0500 Message-ID: <8493B346E1C1DC4A97C170F86C1C47F30296F4@msmail.unitedway.org> From: "Dang.Johnny" To: freebsd-ipfw@freebsd.org Subject: RE: ipfw and transparent proxy... Date: Tue, 26 Feb 2002 12:02:56 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Subject: Re: ipfw and transparent proxy... That works beautifully... However, what happens if I have squid running on another server such as 192.168.1.25? How do I fwd the traffic to that server? "put this before the divert rule(s) ipfw add fwd 127.0.0.1,3128 tcp from 192.168.0.0/24 to not 192.168.0.0/24 Where 3128 is the port, default Squid setting." Baldur On Tuesday 26 February 2002 03:50, you wrote: > hello, > > i have been using ipfw/nat for quite some time now and > is very satisfied with its performance. > > just wondering how can i use transparent proxy when i'm > also running natd on the same fbsd box. > > my box has 2 nics. my internal network is > 192.168.0.0/24 and a static public ip. > the box is running natd which works fine. > > can i do this setup with ipfw or ipfilter? any sample config is > greatly appreciated. > > tnx in advance. :P > > victor "jett" tayer > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Feb 27 3:52:51 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from tesla.foo.is (tesla.reverse-bias.org [217.151.166.96]) by hub.freebsd.org (Postfix) with ESMTP id 031AD37B400; Wed, 27 Feb 2002 03:52:37 -0800 (PST) Received: from germanium (germanium.reverse-bias.org [192.168.1.1]) by tesla.foo.is (Postfix) with SMTP id 5C8BB2739; Wed, 27 Feb 2002 11:52:30 +0000 (GMT) Content-Type: text/plain; charset="iso-8859-1" From: Baldur Gislason To: Bart Matthaei Subject: Re: best firewall option for FreeBSD Date: Wed, 27 Feb 2002 11:52:22 +0000 X-Mailer: KMail [version 1.2] References: <3C7CB173.5F5A9837@hict.nl> <20020227113456.L62131@heresy.dreamflow.nl> In-Reply-To: <20020227113456.L62131@heresy.dreamflow.nl> Cc: freebsd-security@freebsd.org, freebsd-ipfw@freebsd.org MIME-Version: 1.0 Message-Id: <02022711522201.07860@germanium> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG It's never a good idea to silently deny incoming connections on port 113 (RFC1413 ident) as remote daemons you connect to often try establishing a connection to your host on that port and you won't be served untill they've timed out on the ident connection. Also, never trust your local users too much, especially if you have a wireless network. The most practical design is a DMZ (De-Militarized Zone) for the servers, external net and partially trusted user network, if you have a wireless network it may even be a good idea to isolate that from the rest of the user network, as you must not trust the wireless users at all unless they're authenticated somehow. On the DMZ you'd allow in certain ports on each server and range 49152 through 65535 (dynamic port range) may be a good idea if you run an ftpd and want users to be able to use passive transfers (That applies to most users that are behind a firewall). Baldur On Wednesday 27 February 2002 10:34, you wrote: > On Wed, Feb 27, 2002 at 11:14:11AM +0100, Geert Houben wrote: > [snip] > > Correct me if im wrong. > > The easiest way of achieving this is to deny everything coming > from your internal net by default, and set up rules to allow certain > services, like ssh. > > Example: > > # allow established connections ( remote host -> source port on client ) > ipfw add pass all from any to any established > > ipfw add pass tcp from any to any 22 recv $internal_nic # allow ssh > ipfw add pass tcp from any to any 80 recv $internal_nic # allow http > ipfw add pass tcp from any to any 21 recv $internal_nic # allow ftp > > > > ipfw add deny all from any to any recv $internal_nic > > You'll get a pretty long set of firewallrules, but that doesn't > matter. > > You should also decide if you want your internal net to have public or > private ipspace (and if private, using ipnat or natd: > > natd runs in userland, so thats no option for large networks (imho). > ipnat runs in la kernel, so it performs better for large nets. > > ). > > Regards, > > Bart ---------------------------------------- Content-Type: application/pgp-signature; charset="us-ascii"; name="Attachment: 1" Content-Transfer-Encoding: 7bit Content-Description: ---------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 28 0:45: 4 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mumba.junik.lv (mail.junik.lv [195.216.160.134]) by hub.freebsd.org (Postfix) with ESMTP id 0CC6737B405 for ; Thu, 28 Feb 2002 00:44:54 -0800 (PST) Received: (from root@localhost) by mumba.junik.lv (8.8.8/8.8.8) id KAA23154 for freebsd-ipfw@freebsd.org; Thu, 28 Feb 2002 10:44:47 +0200 Received: from Adam ([213.182.205.3]) by mumba.junik.lv (8.8.8/8.8.8) with SMTP id KAA23070 for ; Thu, 28 Feb 2002 10:44:42 +0200 Message-ID: <174101c1c034$87303380$03cdb6d5@junik.lv> From: "Adam@junik.lv" To: Subject: pass tcp from any to any established Date: Thu, 28 Feb 2002 10:47:17 +0200 X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I would really appreciate it if you could cast some light upon this issue: Is it at all possible that the ipfw rule: ipfw add pass tcp from any to any established can be abused by intruders? Any input, no matter theoretical or real-life, will be highly appreciated! Many thanks in anticipation, Adam ______________________________________ Scanned and protected by Inflex http://pldaniels.com/inflex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 28 8: 2: 8 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 77A1F37B400 for ; Thu, 28 Feb 2002 08:02:04 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020228160204.XXVK1147.rwcrmhc52.attbi.com@blossom.cjclark.org>; Thu, 28 Feb 2002 16:02:04 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g1SG23j68962; Thu, 28 Feb 2002 08:02:03 -0800 (PST) (envelope-from cjc) Date: Thu, 28 Feb 2002 08:02:03 -0800 From: "Crist J. Clark" To: "Adam@junik.lv" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: pass tcp from any to any established Message-ID: <20020228080202.H66092@blossom.cjclark.org> References: <174101c1c034$87303380$03cdb6d5@junik.lv> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <174101c1c034$87303380$03cdb6d5@junik.lv>; from adam@junik.lv on Thu, Feb 28, 2002 at 10:47:17AM +0200 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Feb 28, 2002 at 10:47:17AM +0200, Adam@junik.lv wrote: > Hi, > I would really appreciate it if you could cast some light upon this issue: > > Is it at all possible that the ipfw rule: > ipfw add pass tcp from any to any established > can be abused by intruders? The first think that comes to mind is an ACK (or SYN-ACK) or FIN scan. It's as easy as the '-sA' and '-sF' options in nmap(1). -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 28 18: 3:53 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from devilhome.gielstrup.dk (cpe.atm0-0-0-129268.0x3ef27dd9.bynxx3.customer.tele.dk [62.242.125.217]) by hub.freebsd.org (Postfix) with ESMTP id 3699537B41A for ; Thu, 28 Feb 2002 18:03:50 -0800 (PST) Received: from Christian (home [10.0.0.120]) by devilhome.gielstrup.dk (Postfix) with SMTP id 97117145A25 for ; Fri, 1 Mar 2002 03:03:53 +0100 (CET) Message-ID: <001c01c1c0c5$486bd000$7800000a@gielstrup.dk> From: "Christian Gielstrup" To: Subject: resolve ipaddr and ports in logs Date: Fri, 1 Mar 2002 03:03:29 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Greetings from Denmark.. Is it possible to have the ipaddresses and ports resolved on the rules = that are logged? I mean simular to the output produced by ipfw -N s E.g every connection reaching to my last reachable rule (/sbin/ipfw a = 999 deny l a f a t a). (Default 65535 rule is missing the log option) It would be nice if ip's and ports could be resolved into names, via = DNS, host file and the services file. I realize the extra load this could give a fw under "attack", but who = isn`t limiting the log amount. Best regards, Christian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 28 18:55:28 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id A34F037B400 for ; Thu, 28 Feb 2002 18:55:26 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id 7CAE8AE2F7; Thu, 28 Feb 2002 18:55:26 -0800 (PST) Date: Thu, 28 Feb 2002 18:55:26 -0800 From: Bill Fumerola To: Christian Gielstrup Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: resolve ipaddr and ports in logs Message-ID: <20020301025526.GK803@elvis.mu.org> References: <001c01c1c0c5$486bd000$7800000a@gielstrup.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001c01c1c0c5$486bd000$7800000a@gielstrup.dk> User-Agent: Mutt/1.3.27i X-Operating-System: FreeBSD 4.5-MUORG-20020215 i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Mar 01, 2002 at 03:03:29AM +0100, Christian Gielstrup wrote: > E.g every connection reaching to my last reachable rule (/sbin/ipfw a 999 deny l a f a t a). (Default 65535 rule is missing the log option) > It would be nice if ip's and ports could be resolved into names, via DNS, host file and the services file. > I realize the extra load this could give a fw under "attack", but who isn`t limiting the log amount. no, it can't. you should be doing these sorts of translations in post-processing if its really that important. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org - my anger management counselor can beat up your self-affirmation therapist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 28 19: 7: 6 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from hqvsbh2.ms.com (hqvsbh2.ms.com [205.228.12.104]) by hub.freebsd.org (Postfix) with ESMTP id BD63737B41A for ; Thu, 28 Feb 2002 19:07:02 -0800 (PST) Received: from hqvsbh2-idmz.ms.com (localhost [127.0.0.1]) by hqvsbh2.ms.com (Postfix) with SMTP id 0DEE4A3F3; Thu, 28 Feb 2002 22:07:02 -0500 (EST) Received: from morganstanley.com (unknown [172.19.97.161]) by hqvsbh2-idmz.ms.com (Postfix) with ESMTP id 8F54D9892; Thu, 28 Feb 2002 22:07:00 -0500 (EST) Message-ID: <3C7EF06A.5A306DFD@morganstanley.com> Date: Fri, 01 Mar 2002 11:07:22 +0800 From: Victor Tayer Reply-To: Victor.Tayer@morganstanley.com Organization: Morgan Stanley X-Mailer: Mozilla 4.76 [en]C-CCK-MCD MS4.76 V20001206.2 (WinNT; U) X-Accept-Language: en,ja MIME-Version: 1.0 To: Baldur Gislason Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw and transparent proxy... References: <3C7B0609.90D88A06@morganstanley.com> <02022607395900.07860@germanium> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG i tried this setup. put it before my divert rules... now im having problems with irc, icq and yahoo messenger. :( am i missing something here? victor tayer Baldur Gislason wrote: > put this before the divert rule(s) > ipfw add fwd 127.0.0.1,3128 tcp from 192.168.0.0/24 to not 192.168.0.0/24 > Where 3128 is the port, default Squid setting. > > Baldur > > On Tuesday 26 February 2002 03:50, you wrote: > > hello, > > > > i have been using ipfw/nat for quite some time now and > > is very satisfied with its performance. > > > > just wondering how can i use transparent proxy when i'm > > also running natd on the same fbsd box. > > > > my box has 2 nics. my internal network is > > 192.168.0.0/24 and a static public ip. > > the box is running natd which works fine. > > > > can i do this setup with ipfw or ipfilter? any sample config is > > greatly appreciated. > > > > tnx in advance. :P > > > > victor "jett" tayer > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 1 2:36:12 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from uwa.unitedway.org (msmail.unitedway.org [208.253.57.6]) by hub.freebsd.org (Postfix) with ESMTP id 5091237B405 for ; Fri, 1 Mar 2002 02:36:07 -0800 (PST) Received: by msmail.unitedway.org with Internet Mail Service (5.5.2653.19) id ; Fri, 1 Mar 2002 05:36:06 -0500 Message-ID: <8493B346E1C1DC4A97C170F86C1C47F30296FD@msmail.unitedway.org> From: "Dang.Johnny" To: "'Victor.Tayer@morganstanley.com'" , Baldur Gislason Cc: freebsd-ipfw@freebsd.org Subject: RE: ipfw and transparent proxy... Date: Fri, 1 Mar 2002 05:36:05 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C1C10C.E434ABF0" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C1C10C.E434ABF0 Content-Type: text/plain The correct syntax is this: ipfw add fwd 127.0.0.1,3128 tcp from 192.168.0.0/24 to not 192.168.0.0/24 80 You don't want to forward EVERYTHING, just port 80 (web traffic) All you have to do is add 80 in the end of the line. God bless FreeBSD. Yours In Service ++++++++++++++++++++++++++++++++++++ Johnny Dang johnny.dang@uwa.unitedway.org Senior Network Engineer MCP MCSE + 4.0 + Internet + 2K + XP + .NET ++++++++++++++++++++++++++++++++++++ -----Original Message----- From: Victor Tayer [mailto:Victor.Tayer@morganstanley.com] Sent: Thursday, February 28, 2002 10:07 PM To: Baldur Gislason Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw and transparent proxy... i tried this setup. put it before my divert rules... now im having problems with irc, icq and yahoo messenger. :( am i missing something here? victor tayer Baldur Gislason wrote: > put this before the divert rule(s) > ipfw add fwd 127.0.0.1,3128 tcp from 192.168.0.0/24 to not > 192.168.0.0/24 Where 3128 is the port, default Squid setting. > > Baldur > > On Tuesday 26 February 2002 03:50, you wrote: > > hello, > > > > i have been using ipfw/nat for quite some time now and > > is very satisfied with its performance. > > > > just wondering how can i use transparent proxy when i'm also running > > natd on the same fbsd box. > > > > my box has 2 nics. my internal network is > > 192.168.0.0/24 and a static public ip. > > the box is running natd which works fine. > > > > can i do this setup with ipfw or ipfilter? any sample config is > > greatly appreciated. > > > > tnx in advance. :P > > > > victor "jett" tayer > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message ------_=_NextPart_000_01C1C10C.E434ABF0 Content-Type: application/octet-stream; name="Johnny Dang (johnny.dang@johnnydang.net).vcf" Content-Disposition: attachment; filename="Johnny Dang (johnny.dang@johnnydang.net).vcf" BEGIN:VCARD VERSION:2.1 N:Dang;Johnny FN:Johnny Dang (johnny.dang@johnnydang.net) TITLE:Senior Network Engineer TEL;WORK;VOICE:(703) 836-7122 #405 TEL;HOME;VOICE:(301) 439-3097 TEL;CELL;VOICE:(301) 332-8667 ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;9304 Piney Branch Road =0D=0A#105;Silver Spring;MD;20903;United States of = America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:9304 Piney Branch Road =0D=0A#105=0D=0ASilver Spring, MD 20903=0D=0AUnited S= tates of America URL;WORK:http://www.johnnydang.net EMAIL;PREF;INTERNET:johnny.dang@johnnydang.net REV:20011218T220101Z END:VCARD ------_=_NextPart_000_01C1C10C.E434ABF0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 1 7:17:28 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from dsee.fee.unicamp.br (dsee.fee.unicamp.br [143.106.11.14]) by hub.freebsd.org (Postfix) with ESMTP id B6EA937B405 for ; Fri, 1 Mar 2002 07:17:20 -0800 (PST) Received: from dsee.fee.unicamp.br (tucunare.dsee.fee.unicamp.br [143.106.11.6]) by dsee.fee.unicamp.br (8.10.1/8.10.1) with SMTP id g21FIHN04857 for ; Fri, 1 Mar 2002 12:18:17 -0300 (EST) Received: from 200.208.15.217 (SquirrelMail authenticated user morte) by tucunare.fee.unicamp.br with HTTP; Fri, 1 Mar 2002 12:19:11 -0300 (EST) Message-ID: <30575.200.208.15.217.1014995951.squirrel@tucunare.fee.unicamp.br> Date: Fri, 1 Mar 2002 12:19:11 -0300 (EST) Subject: ipfw problem From: "Luiz Morte da Costa Jr" To: Reply-To: morte@dsee.fee.unicamp.br X-Mailer: SquirrelMail (version 1.2.4) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi all, I don´t know if this is possible, but ... : I´ve instaled a FreeBSD 4.4 in a hardware with 3 nic. I´ve configured: nic fxp0: a.b.c.d -> Internet link, with a valid IP nic fxp1: e.f.g.h -> Internet link, with a valid IP nic fxp2: 10.10.10.1 -> Internal link, with a NO valid IP My default router is a.b.c.29 (the same fxp0 IP Class) I´m using ipfx+nat and the ideia is: http protocol: out/in via fxp1 others protocols: out/in via fxp0 - I starting nat, like this: natd (8668) in a fxp0 nic and natd2 (8669) in a fxp1 nic - I´ve used the rules bellow: add 001 divert 8669 tcp from any to any 80 add 002 divert 8669 tcp from any 80 to any add 003 fwd e.f.g.h tcp from any to any 80 via fxp1 (fxp1 IP Class) add 004 fwd e.f.g.h tcp from any 80 to any via fxp1 (fxp1 IP Class) add 005 skipto 020 tcp from any to any 80 add 006 skipto 020 tcp from any 80 to any add 010 divert 8668 all from any to any add 020 allow log all from any to any - logs: Feb 17 11:45:15 fw /kernel: ipfw: 020 Accept 10.10.10.130:1133 209.73.180.8:80 in via fxp2 (fazendo acesso ao altavista de uma maquina da rede interna: 10.10.10.130) Feb 17 11:45:15 fw /kernel: ipfw: 020 Accept e.f.g.h:1133 209.73.180.8:80 out via fxp0 I think the NAT is working fine (logs), but all the internet traffic is passing through fxp0. I have a routing problem and I don´t if I can fix it. In another words, only the http protocol pass through fxp1 and others protocols pass through fxp0. Thanks in advance, Luiz Morte. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 1 9:37:57 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from eastgate.bbtnet.com (eastgate.bbtnet.com [208.11.8.3]) by hub.freebsd.org (Postfix) with ESMTP id 1657C37B41A for ; Fri, 1 Mar 2002 09:37:50 -0800 (PST) Received: from wil-av02.BBTNET.COM by wil-av02.bbtnet.COM with SMTP id PAA07379; Thu, 28 Feb 2002 15:20:35 -0500 Received: FROM wil-po05.bbtnet.com BY wil-av02.BBTNET.COM ; Thu Feb 28 15:20:27 2002 -0500 Received: by wil-po05.bbtnet.com with Internet Mail Service (5.5.2448.0) id ; Thu, 28 Feb 2002 15:20:30 -0500 Message-ID: From: "Williams, Robert" To: ipfw@freebsd.org Subject: GUI for IPFW running FreeBSD 4.3? Date: Thu, 28 Feb 2002 15:20:24 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Is there a remote GUI tool that I can run against my FreeBSD 4.3 server running IPFW & NATD? I am currently running sshd for remote access(network side, working on PKI only for authentication from the internet interface, no passwords) and was just curious about my options. TIA Rob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Mar 2 11: 6:42 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id CF10D37B417 for ; Sat, 2 Mar 2002 11:06:37 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020302190637.KJGQ2626.rwcrmhc51.attbi.com@blossom.cjclark.org>; Sat, 2 Mar 2002 19:06:37 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g22J6bg82263; Sat, 2 Mar 2002 11:06:37 -0800 (PST) (envelope-from cjc) Date: Sat, 2 Mar 2002 11:06:37 -0800 From: "Crist J. Clark" To: Luiz Morte da Costa Jr Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw problem Message-ID: <20020302110637.F66092@blossom.cjclark.org> References: <30575.200.208.15.217.1014995951.squirrel@tucunare.fee.unicamp.br> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <30575.200.208.15.217.1014995951.squirrel@tucunare.fee.unicamp.br>; from morte@dsee.fee.unicamp.br on Fri, Mar 01, 2002 at 12:19:11PM -0300 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Mar 01, 2002 at 12:19:11PM -0300, Luiz Morte da Costa Jr wrote: > > Hi all, > > I don´t know if this is possible, but ... : Anything is possible. > I´ve instaled a FreeBSD 4.4 in a hardware with 3 nic. I´ve configured: > > nic fxp0: a.b.c.d -> Internet link, with a valid IP > nic fxp1: e.f.g.h -> Internet link, with a valid IP > nic fxp2: 10.10.10.1 -> Internal link, with a NO valid IP > > My default router is a.b.c.29 (the same fxp0 IP Class) > > I´m using ipfx+nat and the ideia is: > http protocol: out/in via fxp1 > others protocols: out/in via fxp0 OK. Whatever you want. > - I starting nat, like this: > natd (8668) in a fxp0 nic and > natd2 (8669) in a fxp1 nic These are just run like 'natd -n fxp[01]' with no additional options? > - I´ve used the rules bellow: > add 001 divert 8669 tcp from any to any 80 > add 002 divert 8669 tcp from any 80 to any > add 003 fwd e.f.g.h tcp from any to any 80 via fxp1 (fxp1 IP Class) > add 004 fwd e.f.g.h tcp from any 80 to any via fxp1 (fxp1 IP Class) > add 005 skipto 020 tcp from any to any 80 > add 006 skipto 020 tcp from any 80 to any > add 010 divert 8668 all from any to any > add 020 allow log all from any to any > > > - logs: > Feb 17 11:45:15 fw /kernel: ipfw: 020 Accept 10.10.10.130:1133 > 209.73.180.8:80 in via fxp2 > (fazendo acesso ao altavista de uma maquina da rede interna: 10.10.10.130) > > Feb 17 11:45:15 fw /kernel: ipfw: 020 Accept e.f.g.h:1133 209.73.180.8:80 > out via fxp0 > > > > I think the NAT is working fine (logs), but all the internet traffic is > passing through fxp0. I have a routing problem and I don´t if I can fix > it. In another words, only the http protocol pass through fxp1 and others > protocols pass through fxp0. Your 3 and 4 rules do not mean what you seem to think they mean. Rule 3 is saying, forward to e.f.g.h any packet that is crossing interface fxp1 destined to port 80. That is, the 'via fxp1' means the packet must be already crossing that interface to match the rule. Plus, you really don't want to be 'fwd'ing the packets to the local machine. That means the local machine processes them as if they were destined for itself. What you want to do is, add 003 fwd e.f.g.i tcp from e.f.g.h to any 80 out Where e.f.g.i is the gateway off of e.f.g.h. At least, if that whole mess works at all, this rule will kick those packets out of the other link. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message