From owner-freebsd-ipfw Sun Jul 21 7:29: 8 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 364A537B400; Sun, 21 Jul 2002 07:29:05 -0700 (PDT) Received: from hotmail.com (law2-f130.hotmail.com [216.32.181.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id F21E843E3B; Sun, 21 Jul 2002 07:29:04 -0700 (PDT) (envelope-from dannycarroll@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 21 Jul 2002 07:29:04 -0700 Received: from 194.109.223.7 by lw2fd.hotmail.msn.com with HTTP; Sun, 21 Jul 2002 14:29:04 GMT X-Originating-IP: [194.109.223.7] From: "Danny Carroll" To: questions@freeBSD.org Cc: ipfw@freeBSD.org Subject: ACK Packet traffic shaping - OR - The ADSL firewall issue.... Date: Mon, 22 Jul 2002 00:29:04 +1000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 21 Jul 2002 14:29:04.0902 (UTC) FILETIME=[F734DA60:01C230C2] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Firstly, apologies for the cross post, I am not sure if this is a ipfw related topic. Secondly, pls respond directly, I am not subscribed with this address. OK. The problem as I understand it, is that when you are uploading lots on the ADSL connection, it will limit the DL speed and vice versa. This is because there is little room left in the available bandwith for the ACK packets of a data xfer. The question is, can the traffic be shaped in such a way as to give priority to these types of packets? Or, limit the UP/Down speed of an individual IP address so that at least they are the only ones affected? -D _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jul 21 9:53:54 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F7C637B400; Sun, 21 Jul 2002 09:53:50 -0700 (PDT) Received: from tao.dizzy-online.org (dyn-213-36-53-149.ppp.tiscali.fr [213.36.53.149]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26B4D43E42; Sun, 21 Jul 2002 09:53:49 -0700 (PDT) (envelope-from guest@dizzy-online.org) Received: from www.dizzy-online.org (localhost.dizzy-online.org [127.0.0.1]) by tao.dizzy-online.org (8.12.3/8.12.3) with ESMTP id g6LGqLct076783; Sun, 21 Jul 2002 18:52:22 +0200 (CEST) (envelope-from guest@dizzy-online.org) From: "Dizzy" To: "Danny Carroll" , questions@FreeBSD.ORG Cc: ipfw@FreeBSD.ORG Subject: Re: ACK Packet traffic shaping - OR - The ADSL firewall issue.... Date: Sun, 21 Jul 2002 18:52:21 +0900 Message-Id: <20020721185221.M64766@dizzy-online.org> In-Reply-To: References: X-Mailer: Open WebMail 1.64 20020415 X-OriginatingIP: 192.0.1.3 (guest) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hi, You can use dummy net with IPFW to modify queue (change priority) and limit up and down traffic. ---------- Original Message ----------- From: "Danny Carroll" To: questions@FreeBSD.ORG Sent: Mon, 22 Jul 2002 00:29:04 +1000 Subject: ACK Packet traffic shaping - OR - The ADSL firewall issue.... > Firstly, apologies for the cross post, I am not sure if this is a > ipfw related topic. > > Secondly, pls respond directly, I am not subscribed with this address. > > OK. The problem as I understand it, is that when you are uploading > lots on the ADSL connection, it will limit the DL speed and vice > versa. This is because there is little room left in the available > bandwith for the ACK packets of a data xfer. > > The question is, can the traffic be shaped in such a way as to give > priority to these types of packets? > > Or, limit the UP/Down speed of an individual IP address so that at > least they are the only ones affected? > > -D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jul 22 12:13:25 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C694837B400 for ; Mon, 22 Jul 2002 12:13:23 -0700 (PDT) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26BB243E72 for ; Mon, 22 Jul 2002 12:13:23 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc01.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020722191321.PGEA8192.sccrmhc01.attbi.com@blossom.cjclark.org>; Mon, 22 Jul 2002 19:13:21 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g6MJDLJK051930; Mon, 22 Jul 2002 12:13:21 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g6MJDJbh051929; Mon, 22 Jul 2002 12:13:19 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 22 Jul 2002 12:13:19 -0700 From: "Crist J. Clark" To: ticso@cicely.de Cc: Didier Rwitura , ipfw@FreeBSD.ORG Subject: Re: disconection Message-ID: <20020722191319.GB51688@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <200207181921.1340411.6@btsoftware.com> <005f01c22e83$e19188c0$b0120a0a@primustel.ca> <20020719085648.GI41699@cicely5.cicely.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020719085648.GI41699@cicely5.cicely.de> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Jul 19, 2002 at 10:56:49AM +0200, Bernd Walter wrote: > On Thu, Jul 18, 2002 at 01:52:26PM -0400, Didier Rwitura wrote: > > Thanx martin and Thomas > > > > - the auto-off is off completely .. I guess the reason is mostly the > > firewall > > > > - to answer Thomas > > > > yeap i do > > here are my ipfw rules : > > > > #allow ssh > > add 00300 allow tcp from 216.254.136.110 to any ssh in setup keep-state > > > > add 00301 allow tcp from any to any out setup keep-state > > > > add 00302 allow tcp from any ssh to any out setup keep-state > > add 00304 allow tcp from any to any ssh in > > add 00305 allow tcp from any to any out setup keep-state > > add 299 check-states It's 'check-state,' and adding it would be completely redundant. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jul 22 12:33:12 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D084A37B400; Mon, 22 Jul 2002 12:33:09 -0700 (PDT) Received: from srv1.cosmo-project.de (srv1.cosmo-project.de [213.83.6.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E48B43E31; Mon, 22 Jul 2002 12:33:08 -0700 (PDT) (envelope-from ticso@cicely5.cicely.de) Received: from cicely5.cicely.de (cicely5.cicely.de [IPv6:3ffe:400:8d0:301:200:92ff:fe9b:20e7]) (authenticated bits=0) by srv1.cosmo-project.de (8.12.3/8.12.3) with ESMTP id g6MJWx0i064335 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK); Mon, 22 Jul 2002 21:33:03 +0200 (CEST) (envelope-from ticso@cicely5.cicely.de) Received: from cicely5.cicely.de (localhost [IPv6:::1]) by cicely5.cicely.de (8.12.1/8.12.1) with ESMTP id g6MJWvFJ007327 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 22 Jul 2002 21:32:57 +0200 (CEST)?g (envelope-from ticso@cicely5.cicely.de) Received: (from ticso@localhost) by cicely5.cicely.de (8.12.1/8.12.1/Submit) id g6MJWvan007298; Mon, 22 Jul 2002 21:32:57 +0200 (CEST)?g (envelope-from ticso) Date: Mon, 22 Jul 2002 21:32:56 +0200 From: Bernd Walter To: "Crist J. Clark" Cc: ticso@cicely.de, Didier Rwitura , ipfw@FreeBSD.ORG Subject: Re: disconection Message-ID: <20020722193255.GS83916@cicely5.cicely.de> Reply-To: ticso@cicely.de References: <200207181921.1340411.6@btsoftware.com> <005f01c22e83$e19188c0$b0120a0a@primustel.ca> <20020719085648.GI41699@cicely5.cicely.de> <20020722191319.GB51688@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020722191319.GB51688@blossom.cjclark.org> X-Operating-System: FreeBSD cicely5.cicely.de 5.0-CURRENT i386 User-Agent: Mutt/1.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jul 22, 2002 at 12:13:19PM -0700, Crist J. Clark wrote: > On Fri, Jul 19, 2002 at 10:56:49AM +0200, Bernd Walter wrote: > > On Thu, Jul 18, 2002 at 01:52:26PM -0400, Didier Rwitura wrote: > > > Thanx martin and Thomas > > > > > > - the auto-off is off completely .. I guess the reason is mostly the > > > firewall > > > > > > - to answer Thomas > > > > > > yeap i do > > > here are my ipfw rules : > > > > > > #allow ssh > > > add 00300 allow tcp from 216.254.136.110 to any ssh in setup keep-state > > > > > > add 00301 allow tcp from any to any out setup keep-state > > > > > > add 00302 allow tcp from any ssh to any out setup keep-state > > > add 00304 allow tcp from any to any ssh in > > > add 00305 allow tcp from any to any out setup keep-state > > > > add 299 check-states > > It's 'check-state,' and adding it would be completely redundant. Using keep-state without check-state is bogus. -- B.Walter COSMO-Project http://www.cosmo-project.de ticso@cicely.de Usergroup info@cosmo-project.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jul 22 12:33:36 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5067F37B400; Mon, 22 Jul 2002 12:33:33 -0700 (PDT) Received: from notus.primus.ca (mail.tor.primus.ca [216.254.136.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A2D2243E6E; Mon, 22 Jul 2002 12:33:32 -0700 (PDT) (envelope-from drwitura@primus.ca) Received: from firewall.primus.ca ([216.254.141.68] helo=oemcomputer) by notus.primus.ca with smtp (Exim 3.33 #16) id 17Wivz-0004i7-0A; Mon, 22 Jul 2002 15:33:31 -0400 Message-ID: <001901c231b4$ae10b500$b0120a0a@primustel.ca> From: "Didier Rwitura" To: "Crist J. Clark" , Cc: References: <200207181921.1340411.6@btsoftware.com> <005f01c22e83$e19188c0$b0120a0a@primustel.ca> <20020719085648.GI41699@cicely5.cicely.de> <20020722191319.GB51688@blossom.cjclark.org> Subject: Re: disconection Date: Mon, 22 Jul 2002 15:19:17 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG when I added the add 299 check-states i locked myself out, I removed it ==================================== Didier ----- Original Message ----- From: "Crist J. Clark" To: Cc: "Didier Rwitura" ; Sent: Monday, July 22, 2002 3:13 PM Subject: Re: disconection > On Fri, Jul 19, 2002 at 10:56:49AM +0200, Bernd Walter wrote: > > On Thu, Jul 18, 2002 at 01:52:26PM -0400, Didier Rwitura wrote: > > > Thanx martin and Thomas > > > > > > - the auto-off is off completely .. I guess the reason is mostly the > > > firewall > > > > > > - to answer Thomas > > > > > > yeap i do > > > here are my ipfw rules : > > > > > > #allow ssh > > > add 00300 allow tcp from 216.254.136.110 to any ssh in setup keep-state > > > > > > add 00301 allow tcp from any to any out setup keep-state > > > > > > add 00302 allow tcp from any ssh to any out setup keep-state > > > add 00304 allow tcp from any to any ssh in > > > add 00305 allow tcp from any to any out setup keep-state > > > > add 299 check-states > > It's 'check-state,' and adding it would be completely redundant. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jul 22 12:36:38 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37D2937B400; Mon, 22 Jul 2002 12:36:36 -0700 (PDT) Received: from srv1.cosmo-project.de (srv1.cosmo-project.de [213.83.6.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4770443E31; Mon, 22 Jul 2002 12:36:35 -0700 (PDT) (envelope-from ticso@cicely5.cicely.de) Received: from cicely5.cicely.de (cicely5.cicely.de [IPv6:3ffe:400:8d0:301:200:92ff:fe9b:20e7]) (authenticated bits=0) by srv1.cosmo-project.de (8.12.3/8.12.3) with ESMTP id g6MJaT0i064382 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK); Mon, 22 Jul 2002 21:36:33 +0200 (CEST) (envelope-from ticso@cicely5.cicely.de) Received: from cicely5.cicely.de (localhost [IPv6:::1]) by cicely5.cicely.de (8.12.1/8.12.1) with ESMTP id g6MJaRFJ019530 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 22 Jul 2002 21:36:27 +0200 (CEST)?g (envelope-from ticso@cicely5.cicely.de) Received: (from ticso@localhost) by cicely5.cicely.de (8.12.1/8.12.1/Submit) id g6MJaRdY019529; Mon, 22 Jul 2002 21:36:27 +0200 (CEST)?g (envelope-from ticso) Date: Mon, 22 Jul 2002 21:36:27 +0200 From: Bernd Walter To: "Crist J. Clark" Cc: ticso@cicely.de, Didier Rwitura , ipfw@FreeBSD.ORG Subject: Re: disconection Message-ID: <20020722193626.GT83916@cicely5.cicely.de> Reply-To: ticso@cicely.de References: <200207181921.1340411.6@btsoftware.com> <005f01c22e83$e19188c0$b0120a0a@primustel.ca> <20020719085648.GI41699@cicely5.cicely.de> <20020722191319.GB51688@blossom.cjclark.org> <20020722193255.GS83916@cicely5.cicely.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020722193255.GS83916@cicely5.cicely.de> X-Operating-System: FreeBSD cicely5.cicely.de 5.0-CURRENT i386 User-Agent: Mutt/1.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jul 22, 2002 at 09:32:56PM +0200, Bernd Walter wrote: > On Mon, Jul 22, 2002 at 12:13:19PM -0700, Crist J. Clark wrote: > > On Fri, Jul 19, 2002 at 10:56:49AM +0200, Bernd Walter wrote: > > > On Thu, Jul 18, 2002 at 01:52:26PM -0400, Didier Rwitura wrote: > > > > Thanx martin and Thomas > > > > > > > > - the auto-off is off completely .. I guess the reason is mostly the > > > > firewall > > > > > > > > - to answer Thomas > > > > > > > > yeap i do > > > > here are my ipfw rules : > > > > > > > > #allow ssh > > > > add 00300 allow tcp from 216.254.136.110 to any ssh in setup keep-state > > > > > > > > add 00301 allow tcp from any to any out setup keep-state > > > > > > > > add 00302 allow tcp from any ssh to any out setup keep-state > > > > add 00304 allow tcp from any to any ssh in > > > > add 00305 allow tcp from any to any out setup keep-state > > > > > > add 299 check-states > > > > It's 'check-state,' and adding it would be completely redundant. > > Using keep-state without check-state is bogus. Sorry - you are right - it's done at the first keep-state automagicaly. But nevertheless I would strongly suggest adding a check-state to make the situation clear about what happens. -- B.Walter COSMO-Project http://www.cosmo-project.de ticso@cicely.de Usergroup info@cosmo-project.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jul 22 12:37:55 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8341537B400; Mon, 22 Jul 2002 12:37:53 -0700 (PDT) Received: from srv1.cosmo-project.de (srv1.cosmo-project.de [213.83.6.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id 974BE43E67; Mon, 22 Jul 2002 12:37:52 -0700 (PDT) (envelope-from ticso@cicely5.cicely.de) Received: from cicely5.cicely.de (cicely5.cicely.de [IPv6:3ffe:400:8d0:301:200:92ff:fe9b:20e7]) (authenticated bits=0) by srv1.cosmo-project.de (8.12.3/8.12.3) with ESMTP id g6MJbl0i064395 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK); Mon, 22 Jul 2002 21:37:50 +0200 (CEST) (envelope-from ticso@cicely5.cicely.de) Received: from cicely5.cicely.de (localhost [IPv6:::1]) by cicely5.cicely.de (8.12.1/8.12.1) with ESMTP id g6MJbkFJ021827 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 22 Jul 2002 21:37:46 +0200 (CEST)?g (envelope-from ticso@cicely5.cicely.de) Received: (from ticso@localhost) by cicely5.cicely.de (8.12.1/8.12.1/Submit) id g6MJbjXU021823; Mon, 22 Jul 2002 21:37:45 +0200 (CEST)?g (envelope-from ticso) Date: Mon, 22 Jul 2002 21:37:45 +0200 From: Bernd Walter To: Didier Rwitura Cc: "Crist J. Clark" , ticso@cicely.de, ipfw@FreeBSD.ORG Subject: Re: disconection Message-ID: <20020722193745.GU83916@cicely5.cicely.de> Reply-To: ticso@cicely.de References: <200207181921.1340411.6@btsoftware.com> <005f01c22e83$e19188c0$b0120a0a@primustel.ca> <20020719085648.GI41699@cicely5.cicely.de> <20020722191319.GB51688@blossom.cjclark.org> <001901c231b4$ae10b500$b0120a0a@primustel.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001901c231b4$ae10b500$b0120a0a@primustel.ca> X-Operating-System: FreeBSD cicely5.cicely.de 5.0-CURRENT i386 User-Agent: Mutt/1.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jul 22, 2002 at 03:19:17PM -0400, Didier Rwitura wrote: > when I added the > add 299 check-states > > i locked myself out, I removed it Which hides the real reason for your problem. -- B.Walter COSMO-Project http://www.cosmo-project.de ticso@cicely.de Usergroup info@cosmo-project.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jul 22 15:42:27 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AE6337B400; Mon, 22 Jul 2002 15:42:24 -0700 (PDT) Received: from mail.tgd.net (mail.tgd.net [209.81.25.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id A199743E42; Mon, 22 Jul 2002 15:42:23 -0700 (PDT) (envelope-from sean@mail.tgd.net) Received: by mail.tgd.net (Postfix, from userid 1001) id 9221D20F02; Mon, 22 Jul 2002 15:42:21 -0700 (PDT) Date: Mon, 22 Jul 2002 15:42:21 -0700 From: Sean Chittenden To: ipfw@freebsd.org, net@freebsd.org Subject: Increasing the hash table size for dummynet... Message-ID: <20020722224221.GJ88755@ninja1.internal> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [Sorry for the cross post: I don't know where the dummynet guru's live] I have a situation where I'm rate shaping a LARGE number of concurrent TCP connections, however I've run into a slight problem/limitation: dummynet has a max hash table size of 1024 and I'm currently handling about 8-17K in TCP connections in a single queue. :-/ I quickly looked over the hash algorithm and couldn't see any reason why the max size couldn't be increased beyond 1024. Could someone comment on the attached? -sc -- Sean Chittenden To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jul 22 15:47: 2 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA86B37B400; Mon, 22 Jul 2002 15:46:53 -0700 (PDT) Received: from mail.tgd.net (mail.tgd.net [209.81.25.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9AE543E42; Mon, 22 Jul 2002 15:46:53 -0700 (PDT) (envelope-from sean@mail.tgd.net) Received: by mail.tgd.net (Postfix, from userid 1001) id 889F720F02; Mon, 22 Jul 2002 15:46:53 -0700 (PDT) Date: Mon, 22 Jul 2002 15:46:53 -0700 From: Sean Chittenden To: ipfw@freebsd.org, net@freebsd.org Subject: Re: Increasing the hash table size for dummynet... Message-ID: <20020722224653.GL88755@ninja1.internal> References: <20020722224221.GJ88755@ninja1.internal> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="UoPmpPX/dBe4BELn" Content-Disposition: inline In-Reply-To: <20020722224221.GJ88755@ninja1.internal> User-Agent: Mutt/1.4i X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --UoPmpPX/dBe4BELn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > [Sorry for the cross post: I don't know where the dummynet guru's live] > > I have a situation where I'm rate shaping a LARGE number of > concurrent TCP connections, however I've run into a slight > problem/limitation: dummynet has a max hash table size of 1024 and I'm > currently handling about 8-17K in TCP connections in a single queue. > :-/ I quickly looked over the hash algorithm and couldn't see any > reason why the max size couldn't be increased beyond 1024. Could > someone comment on the attached? -sc My bad. Pushed send too quickly. Attached. -sc -- Sean Chittenden --UoPmpPX/dBe4BELn Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=patch Index: sys/netinet/ip_dummynet.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_dummynet.c,v retrieving revision 1.51 diff -u -r1.51 ip_dummynet.c --- sys/netinet/ip_dummynet.c 2002/07/17 07:21:42 1.51 +++ sys/netinet/ip_dummynet.c 2002/07/22 22:35:24 @@ -1463,8 +1463,8 @@ l = dn_hash_size; if (l < 4) l = 4; - else if (l > 1024) - l = 1024; + else if (l > DN_MAX_HASH_SIZE) + l = DN_MAX_HASH_SIZE; x->rq_size = l; } else /* one is enough for null mask */ x->rq_size = 1; Index: sys/netinet/ip_dummynet.h =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_dummynet.h,v retrieving revision 1.21 diff -u -r1.21 ip_dummynet.h --- sys/netinet/ip_dummynet.h 2002/06/23 09:14:24 1.21 +++ sys/netinet/ip_dummynet.h 2002/07/22 22:35:25 @@ -77,6 +77,12 @@ #define OFFSET_OF(type, field) ((int)&( ((type *)0)->field) ) /* + * The maximum hash table size for queues. This value must be a power + * of 2. + */ +#define DN_MAX_HASH_SIZE 65536 + +/* * A heap entry is made of a key and a pointer to the actual * object stored in the heap. * The heap is an array of dn_heap_entry entries, dynamically allocated. Index: sbin/ipfw/ipfw.8 =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw.8,v retrieving revision 1.103 diff -u -r1.103 ipfw.8 --- sbin/ipfw/ipfw.8 2002/07/06 19:33:15 1.103 +++ sbin/ipfw/ipfw.8 2002/07/22 22:35:26 @@ -991,7 +991,7 @@ .Xr sysctl 8 variable .Em net.inet.ip.dummynet.hash_size , -allowed range is 16 to 1024. +allowed range is 16 to 65536. .It Cm pipe Ar pipe_nr Connects a queue to the specified pipe. Multiple queues (usually --UoPmpPX/dBe4BELn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jul 22 16:38:50 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03F3137B401; Mon, 22 Jul 2002 16:38:43 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF65943E6E; Mon, 22 Jul 2002 16:37:14 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6MNaUO70719; Mon, 22 Jul 2002 16:36:30 -0700 (PDT) (envelope-from rizzo) Date: Mon, 22 Jul 2002 16:36:30 -0700 From: Luigi Rizzo To: Sean Chittenden Cc: ipfw@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: Increasing the hash table size for dummynet... Message-ID: <20020722163630.A70574@iguana.icir.org> References: <20020722224221.GJ88755@ninja1.internal> <20020722224653.GL88755@ninja1.internal> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020722224653.GL88755@ninja1.internal>; from sean@chittenden.org on Mon, Jul 22, 2002 at 03:46:53PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jul 22, 2002 at 03:46:53PM -0700, Sean Chittenden wrote: > > [Sorry for the cross post: I don't know where the dummynet guru's live] > > > > I have a situation where I'm rate shaping a LARGE number of > > concurrent TCP connections, however I've run into a slight > > problem/limitation: dummynet has a max hash table size of 1024 and I'm > > currently handling about 8-17K in TCP connections in a single queue. > > :-/ I quickly looked over the hash algorithm and couldn't see any > > reason why the max size couldn't be increased beyond 1024. Could > > someone comment on the attached? -sc the only thing to verify is that the hash function distributes the sessions well among the available slots. I have not looked too carefully at it, actually if you can provide (privately) the output of "ipfw pipe show" that would be an interesting data set. We are using hash tables with IP addresses in 4 places: dummynet pipes, ipfw dynamic rules, ip_flow.c and libalias. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 23 3:46:17 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D8E637B400 for ; Tue, 23 Jul 2002 03:46:15 -0700 (PDT) Received: from jim.skynet.lt (jim.skynet.lt [212.122.68.65]) by mx1.FreeBSD.org (Postfix) with SMTP id 23C7443E3B for ; Tue, 23 Jul 2002 03:46:09 -0700 (PDT) (envelope-from dd@skynet.lt) Received: (qmail 40379 invoked from network); 23 Jul 2002 10:46:05 -0000 Received: from unknown (HELO freespace) (10.255.1.110) by jim.skynet.vl with SMTP; 23 Jul 2002 10:46:05 -0000 From: "Dmitry Demyanchuk" To: Subject: ipfw2 bug? Date: Tue, 23 Jul 2002 12:46:06 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Im using a combination of ipfw&natd+ipf&ipnat together on my router running fbsd4.6-stable. Upgrading the ipfw to ipfw2 had the following results: 1) i dont know if it is a bug, but the fwd action appears to be disabled in IPFW2. Monitoring the interface with tcpdump, there is no forwarded traffic, but the rule counter keep on increasing. 2) im getting the following message: root@hydra:/usr/src/sys:> ipfw add 25 allow ip from 10.1.1.0/24{1,2} to any ipfw: bad width ``241'' root@hydra:/usr/src/sys:> sources used and working so far: FreeBSD 4.6-STABLE #0: Tue Jul 23 01:19:17 EET 2002 * $FreeBSD: src/sbin/ipfw/ipfw2.c,v 1.2 2002/07/05 22:43:06 luigi Exp $ * $FreeBSD: src/sys/netinet/ip_fw.h,v 1.73 2002/07/17 07:21:42 luigi Exp $ * $FreeBSD: src/sys/netinet/ip_fw2.c,v 1.5 2002/07/14 23:47:18 luigi Exp $ * $FreeBSD: src/sys/netinet/ip_dummynet.c,v 1.24.2.15 2002/07/18 04:43:52 luigi Exp $ * $FreeBSD: src/sys/netinet/ip_dummynet.h,v 1.10.2.5 2002/07/09 09:11:42 luigi Exp $ ip_fw2.h from ipfw2.stable.020715.diffs patch other "set" of sources caused the box to crash/panic when packet hit any of the pipe/dummynet rule ------------------------- Dmitry Demyanchuk SkyNET SA http://www.skynet.lt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 23 3:48:53 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6631D37B401 for ; Tue, 23 Jul 2002 03:48:51 -0700 (PDT) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 33FC443E3B for ; Tue, 23 Jul 2002 03:48:51 -0700 (PDT) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id D963BAE162; Tue, 23 Jul 2002 03:48:50 -0700 (PDT) Date: Tue, 23 Jul 2002 03:48:50 -0700 From: Bill Fumerola To: Dmitry Demyanchuk Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2 bug? Message-ID: <20020723104850.GG55389@elvis.mu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.27i X-Operating-System: FreeBSD 4.5-MUORG-20020626 i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jul 23, 2002 at 12:46:06PM +0200, Dmitry Demyanchuk wrote: > 2) im getting the following message: > root@hydra:/usr/src/sys:> ipfw add 25 allow ip from 10.1.1.0/24{1,2} to any > ipfw: bad width ``241'' > root@hydra:/usr/src/sys:> what would you expect ipfw to do when asked to use 10.1.1.0/241 as a range? -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 23 4: 7:37 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7872837B400 for ; Tue, 23 Jul 2002 04:07:35 -0700 (PDT) Received: from jim.skynet.lt (jim.skynet.lt [212.122.68.65]) by mx1.FreeBSD.org (Postfix) with SMTP id 896BE43E4A for ; Tue, 23 Jul 2002 04:07:31 -0700 (PDT) (envelope-from dd@skynet.lt) Received: (qmail 41781 invoked from network); 23 Jul 2002 11:07:27 -0000 Received: from unknown (HELO freespace) (10.255.1.110) by jim.skynet.vl with SMTP; 23 Jul 2002 11:07:27 -0000 From: "Dmitry Demyanchuk" To: "Bill Fumerola" Cc: Subject: RE: ipfw2 bug? Date: Tue, 23 Jul 2002 13:07:29 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal In-Reply-To: <20020723104850.GG55389@elvis.mu.org> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jul 23, 2002 at 12:46:06PM +0200, Dmitry Demyanchuk wrote: >> 2) im getting the following message: >> root@hydra:/usr/src/sys:> ipfw add 25 allow ip from 10.1.1.0/24{1,2} to any >> ipfw: bad width ``241'' >> root@hydra:/usr/src/sys:> >what would you expect ipfw to do when asked to use 10.1.1.0/241 as a range? i would expect the same action of ipfw add 25 allow ip from { 10.1.1.1 or 10.1.1.2 } to any >-- >- bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 23 4:21:38 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1205137B400 for ; Tue, 23 Jul 2002 04:21:37 -0700 (PDT) Received: from mailhost.stack.nl (vaak.stack.nl [131.155.140.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7794143E4A for ; Tue, 23 Jul 2002 04:21:36 -0700 (PDT) (envelope-from dean@dragon.stack.nl) Received: from dragon.stack.nl (dragon.stack.nl [2001:610:1108:5011:202:b3ff:fe17:a4cb]) by mailhost.stack.nl (Postfix) with ESMTP id 69A2A3F92; Tue, 23 Jul 2002 13:21:35 +0200 (CEST) Received: by dragon.stack.nl (Postfix, from userid 1600) id F1B679890; Tue, 23 Jul 2002 13:21:29 +0200 (CEST) Date: Tue, 23 Jul 2002 13:21:29 +0200 From: Dean Strik To: Dmitry Demyanchuk Cc: Bill Fumerola , ipfw@FreeBSD.ORG Subject: Re: ipfw2 bug? Message-ID: <20020723112129.GA38669@dragon.stack.nl> References: <20020723104850.GG55389@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Editor: VIM Rulez! http://www.vim.org/ X-MUD: Outerspace - telnet://mud.stack.nl:3333 X-Really: Yes User-Agent: Mutt/1.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Dmitry Demyanchuk wrote: > On Tue, Jul 23, 2002 at 12:46:06PM +0200, Dmitry Demyanchuk wrote: > > >> 2) im getting the following message: > >> root@hydra:/usr/src/sys:> ipfw add 25 allow ip from 10.1.1.0/24{1,2} to > any > >> ipfw: bad width ``241'' > >> root@hydra:/usr/src/sys:> > > >what would you expect ipfw to do when asked to use 10.1.1.0/241 as a range? > > i would expect the same action of ipfw add 25 allow ip from { 10.1.1.1 or > 10.1.1.2 } to any 1. The /24 means 10.1.1.xxx, where 0<=x<=255 2. Your shell probably expands the {1,2} block to 10.1.1.0/241 10.1.10.0/242 -- Dean C. Strik Eindhoven University of Technology dean@stack.nl | dean@ipnet6.org | http://www.ipnet6.org/ "This isn't right. This isn't even wrong." -- Wolfgang Pauli To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 23 4:27:26 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C036937B400 for ; Tue, 23 Jul 2002 04:27:24 -0700 (PDT) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A4B343E3B for ; Tue, 23 Jul 2002 04:27:24 -0700 (PDT) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 565D2AE160; Tue, 23 Jul 2002 04:27:24 -0700 (PDT) Date: Tue, 23 Jul 2002 04:27:24 -0700 From: Bill Fumerola To: Dmitry Demyanchuk Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2 bug? Message-ID: <20020723112724.GH55389@elvis.mu.org> References: <20020723104850.GG55389@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.27i X-Operating-System: FreeBSD 4.5-MUORG-20020626 i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jul 23, 2002 at 01:07:29PM +0200, Dmitry Demyanchuk wrote: > On Tue, Jul 23, 2002 at 12:46:06PM +0200, Dmitry Demyanchuk wrote: > > >> 2) im getting the following message: > >> root@hydra:/usr/src/sys:> ipfw add 25 allow ip from 10.1.1.0/24{1,2} to > any > >> ipfw: bad width ``241'' > >> root@hydra:/usr/src/sys:> > > >what would you expect ipfw to do when asked to use 10.1.1.0/241 as a range? > > i would expect the same action of ipfw add 25 allow ip from { 10.1.1.1 or > 10.1.1.2 } to any modern networking disagrees. stuffing a 241 bit value into a 32 bit netmask is hard. perhaps linux has accomplished that, though. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 23 9: 7:14 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F27237B400 for ; Tue, 23 Jul 2002 09:07:10 -0700 (PDT) Received: from zephir.primus.ca (mail.tor.primus.ca [216.254.136.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C495743E42 for ; Tue, 23 Jul 2002 09:07:09 -0700 (PDT) (envelope-from drwitura@primus.ca) Received: from firewall.primus.ca ([216.254.141.68] helo=oemcomputer) by zephir.primus.ca with smtp (Exim 3.33 #16) id 17X2Bm-0002K9-0A; Tue, 23 Jul 2002 12:07:06 -0400 Message-ID: <005601c23261$8944d000$b0120a0a@primustel.ca> From: "Didier Rwitura" To: Cc: References: <200207181921.1340411.6@btsoftware.com> <005f01c22e83$e19188c0$b0120a0a@primustel.ca> <20020719085648.GI41699@cicely5.cicely.de> Subject: Re: disconection Date: Tue, 23 Jul 2002 11:56:39 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG here are the rules #allow ssh add 00300 allow tcp from any to me ssh add 00301 allow tcp from me 22 to any add 00302 allow tcp from any to any out setup keep-state ==================================== Didier Rwitura Technical Support // Soutien Technique P R I M U S TELECOMMUNICATIONS Inc 1-888-222-8577 Business 1-800-370-0015 Residential Ext 8628 Email: drwitura@primus.ca Tech support Email : support@primus.ca Please visit // Visitez svp http://support.primus.ca or // ou http://www.primushost.com ----- Original Message ----- From: "Bernd Walter" To: "Didier Rwitura" Cc: Sent: Friday, July 19, 2002 4:56 AM Subject: Re: disconection > On Thu, Jul 18, 2002 at 01:52:26PM -0400, Didier Rwitura wrote: > > Thanx martin and Thomas > > > > - the auto-off is off completely .. I guess the reason is mostly the > > firewall > > > > - to answer Thomas > > > > yeap i do > > here are my ipfw rules : > > > > #allow ssh > > add 00300 allow tcp from 216.254.136.110 to any ssh in setup keep-state > > > > add 00301 allow tcp from any to any out setup keep-state > > > > add 00302 allow tcp from any ssh to any out setup keep-state > > add 00304 allow tcp from any to any ssh in > > add 00305 allow tcp from any to any out setup keep-state > > add 299 check-states > What is the duplicate 301/305 for? > If you need 304 that's a good sign that packets for your session did > not passed through a check-states. > > -- > B.Walter COSMO-Project http://www.cosmo-project.de > ticso@cicely.de Usergroup info@cosmo-project.de > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 23 10:16:18 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DACF37B400 for ; Tue, 23 Jul 2002 10:16:15 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4986943E4A for ; Tue, 23 Jul 2002 10:16:15 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6NHGAK78820; Tue, 23 Jul 2002 10:16:10 -0700 (PDT) (envelope-from rizzo) Date: Tue, 23 Jul 2002 10:16:10 -0700 From: Luigi Rizzo To: Dmitry Demyanchuk Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2 bug? Message-ID: <20020723101609.B74719@iguana.icir.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from dd@skynet.lt on Tue, Jul 23, 2002 at 12:46:06PM +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG #1 -- i tried "forward" and it seemed to work. The definitive test would be to make sure that the same exact ruleset works with the old ipfw, and in case send me the offending ruleset and the traffic that does not work for you. Of course the combination ipfw&natd+ipf&ipnat is the messiest thing you can have in the world so i won't promise results.... #2 as someone noticed is probably your shell expanding {1,2} -- mine (plain sh) doesn't. In case, put a \ before the braces. #3 -- if you have some rules that cause crashes, please post them as I obviously have all the interest in fixing these bugs. cheers luigi On Tue, Jul 23, 2002 at 12:46:06PM +0200, Dmitry Demyanchuk wrote: > Im using a combination of ipfw&natd+ipf&ipnat together on my router running > fbsd4.6-stable. > Upgrading the ipfw to ipfw2 had the following results: > > 1) i dont know if it is a bug, but the fwd action appears to be disabled in > IPFW2. Monitoring the interface with tcpdump, there is no forwarded traffic, > but the rule counter keep on increasing. > > 2) im getting the following message: > root@hydra:/usr/src/sys:> ipfw add 25 allow ip from 10.1.1.0/24{1,2} to any > ipfw: bad width ``241'' > root@hydra:/usr/src/sys:> > > sources used and working so far: > FreeBSD 4.6-STABLE #0: Tue Jul 23 01:19:17 EET 2002 > * $FreeBSD: src/sbin/ipfw/ipfw2.c,v 1.2 2002/07/05 22:43:06 luigi Exp $ > * $FreeBSD: src/sys/netinet/ip_fw.h,v 1.73 2002/07/17 07:21:42 luigi Exp $ > * $FreeBSD: src/sys/netinet/ip_fw2.c,v 1.5 2002/07/14 23:47:18 luigi Exp $ > * $FreeBSD: src/sys/netinet/ip_dummynet.c,v 1.24.2.15 2002/07/18 04:43:52 > luigi Exp $ > * $FreeBSD: src/sys/netinet/ip_dummynet.h,v 1.10.2.5 2002/07/09 09:11:42 > luigi Exp $ > ip_fw2.h from ipfw2.stable.020715.diffs patch > > other "set" of sources caused the box to crash/panic when packet hit any of > the pipe/dummynet rule > > ------------------------- > Dmitry Demyanchuk > SkyNET SA > http://www.skynet.lt > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 23 11:54: 7 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BFB937B400 for ; Tue, 23 Jul 2002 11:54:04 -0700 (PDT) Received: from web13102.mail.yahoo.com (web13102.mail.yahoo.com [216.136.174.147]) by mx1.FreeBSD.org (Postfix) with SMTP id 3909843E4A for ; Tue, 23 Jul 2002 11:54:04 -0700 (PDT) (envelope-from netmetrica@yahoo.com) Message-ID: <20020723185403.24782.qmail@web13102.mail.yahoo.com> Received: from [208.131.80.226] by web13102.mail.yahoo.com via HTTP; Tue, 23 Jul 2002 11:54:03 PDT Date: Tue, 23 Jul 2002 11:54:03 -0700 (PDT) From: Netmetrica corp Subject: IPFW Problem with Aliases on single Interface To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm running BSD4.5 with one ethernet interface. that interface has multiple IP aliases. I would like to give each IP address a seperate ingress and egress rule. or in other words I want different subnets to be treated separately if those subnets are aliases on the same physical interface. However, the IPFW takes a shortcut and it seems to just use the the single outgoing interface instead of the multiple IP address that are assigned to that interface. Is there a reason that this feature is not supported other than speed? If my question is not clear please tell me to explain it further. With regards, ~N __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 23 12: 1: 8 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1746737B400 for ; Tue, 23 Jul 2002 12:01:06 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 9B77B43E31 for ; Tue, 23 Jul 2002 12:01:05 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 74985 invoked from network); 23 Jul 2002 19:01:04 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 23 Jul 2002 19:01:04 -0000 Message-ID: <3D3DA7F0.30607@tenebras.com> Date: Tue, 23 Jul 2002 12:01:04 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020717 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: Netmetrica corp Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW Problem with Aliases on single Interface References: <20020723185403.24782.qmail@web13102.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Netmetrica corp wrote: > I'm running BSD4.5 with one ethernet interface. that > interface has multiple IP aliases. I would like to > give each IP address a seperate ingress and egress > rule. or in other words I want different subnets to > be treated separately if those subnets are aliases > on the same physical interface. > However, the IPFW takes a shortcut and it seems to > just use the the single outgoing interface instead of > the multiple IP address that are assigned to that > interface. Is there a reason that this feature is not > supported other than speed? It's not ipfw, but IP that does this. This is the case on every platform, in every implementation I know. All outbound traffic will go out the primary interface on the same net, even if they are separate physical interfaces. There is a way to do what you intend with a combination of ipfw and natd, and it gets fairly hairy. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 23 12:28:41 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4D9437B400 for ; Tue, 23 Jul 2002 12:28:38 -0700 (PDT) Received: from mailgw2a.lmco.com (mailgw2a.lmco.com [192.91.147.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB3F743E42 for ; Tue, 23 Jul 2002 12:28:37 -0700 (PDT) (envelope-from rick.norman@lmco.com) Received: from emss01g01.ems.lmco.com ([129.197.181.54]) by mailgw2a.lmco.com (8.11.6/8.11.6) with ESMTP id g6NJSac20429 for ; Tue, 23 Jul 2002 15:28:36 -0400 (EDT) Received: from CONVERSION-DAEMON.lmco.com by lmco.com (PMDF V6.1-1 #40643) id <0GZP00F01VFOKK@lmco.com> for freebsd-ipfw@FreeBSD.ORG; Tue, 23 Jul 2002 12:28:36 -0700 (PDT) Received: from lmco.com ([129.197.20.43]) by lmco.com (PMDF V6.1-1 #40643) with ESMTP id <0GZP009M0VFMM9@lmco.com> for freebsd-ipfw@FreeBSD.ORG; Tue, 23 Jul 2002 12:28:34 -0700 (PDT) Date: Tue, 23 Jul 2002 12:24:08 -0700 From: rick norman Subject: Re: IPFW Problem with Aliases on single Interface To: freebsd-ipfw@FreeBSD.ORG Message-id: <3D3DAD58.BD3DF3B2@lmco.com> MIME-version: 1.0 X-Mailer: Mozilla 4.79 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-Accept-Language: en References: <20020723185403.24782.qmail@web13102.mail.yahoo.com> <3D3DA7F0.30607@tenebras.com> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Michael Sierchio wrote: > Netmetrica corp wrote: > > I'm running BSD4.5 with one ethernet interface. that > > interface has multiple IP aliases. I would like to > > give each IP address a seperate ingress and egress > > rule. or in other words I want different subnets to > > be treated separately if those subnets are aliases > > on the same physical interface. > > However, the IPFW takes a shortcut and it seems to > > just use the the single outgoing interface instead of > > the multiple IP address that are assigned to that > > interface. Is there a reason that this feature is not > > supported other than speed? > > It's not ipfw, but IP that does this. This is the case on > every platform, in every implementation I know. All outbound > traffic will go out the primary interface on the same net, > even if they are separate physical interfaces. There > is a way to do what you intend with a combination of ipfw and natd, > and it gets fairly hairy. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message I think there is a limitation in ipfw that prohibits writing rules for next hop outbound aliased subnets. In 4.5 there seems to be a limitation that won't allow pkts being routed out on different subnets to be treated separately if those subnets are aliases on the same physical interface. I would like to see a solution to this problem also. -- "In the Big Rock Candy Mountains the jails are made of tin, And you can walk right out again as soon as you are in There ain't no short-handled shovels, no axes, saws or picks, I'm a-goin' to stay where you sleep all day Where they hung the jerk that invented work In the Big Rock Candy Mountains" wk: 408 742 1619 rick.norman@lmco.com hm: 650 726 0677 rnorman@ikaika.com cell: 650 303 3877 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 23 20:28:55 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5E8B37B400; Tue, 23 Jul 2002 20:28:49 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7362443E67; Tue, 23 Jul 2002 20:28:49 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6O3SnY82543; Tue, 23 Jul 2002 20:28:49 -0700 (PDT) (envelope-from rizzo) Date: Tue, 23 Jul 2002 20:28:49 -0700 From: Luigi Rizzo To: stable@freebsd.org Subject: HEADS-UP ipfw now in -stable (as an optional replacement of the old ipfw) Message-ID: <20020723202849.A82296@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG FYI.... (please read the commit log below before complaining). cheers luigi ----- Forwarded message from Luigi Rizzo ----- Date: Tue, 23 Jul 2002 20:21:24 -0700 (PDT) From: Luigi Rizzo Subject: cvs commit: src/sys/netinet ip_fw2.c ip_fw2.h src/sys/conf files options src/sbin/ipfw Makefile ipfw2.c src/lib/libalias Makefile alias_db.c To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG luigi 2002/07/23 20:21:24 PDT Modified files: (Branch: RELENG_4) sys/conf options files sbin/ipfw Makefile lib/libalias Makefile alias_db.c Added files: (Branch: RELENG_4) sys/netinet ip_fw2.h ip_fw2.c sbin/ipfw ipfw2.c Log: Bring ipfw2 into the -stable tree. This will give more people a chance to test it, and hopefully accelerate the transition from the old to the new ipfw code. NOTE: THIS COMMIT WILL NOT CHANGE THE FIREWALL YOU USE, NOR A SINGLE BIT IN YOUR KERNEL AND BINARIES. YOU WILL KEEP USING YOUR OLD "ipfw" UNLESS YOU: + add "options IPFW2" (undocumented) to your kernel config file; + compile and install sbin/ipfw and lib/libalias with make -DIPFW2 in other words, you must really want it. On the other hand, i believe you do really want to use this new code. In addition to being twice as fast in processing individual rules, you can use more powerful match patterns such as ... ip from 1.2.3.0/24{50,6,27,158} to ... ... ip from { 1.2.3.4/26 or 5.6.7.8/22 } to ... ... ip from any 5-7,9-66,1020-3000,4000-5000 to ... i.e. match sparse sets of IP addresses in constant time; use "or" connectives between match patterns; have multiple port ranges; etc. which I believe will dramatically reduce your ruleset size. As an additional bonus, "keep-state" rules will now send keepalives when the rule is about to expire, so you will not have your remote login sessions die while you are idle. The syntax is backward compatible with the old ipfw. A manual page documenting the extensions has yet to be completed. Revision Changes Path 1.13.2.5 +4 -1 src/lib/libalias/Makefile 1.21.2.14 +151 -36 src/lib/libalias/alias_db.c 1.6.6.3 +5 -1 src/sbin/ipfw/Makefile 1.4.2.1 +3166 -0 src/sbin/ipfw/ipfw2.c (new) 1.340.2.107 +1 -0 src/sys/conf/files 1.191.2.41 +1 -0 src/sys/conf/options 1.6.2.1 +2622 -0 src/sys/netinet/ip_fw2.c (new) 1.1.2.1 +404 -0 src/sys/netinet/ip_fw2.h (new) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 23 22:31: 3 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C2E537B400; Tue, 23 Jul 2002 22:30:59 -0700 (PDT) Received: from addr-mx01.addr.com (addr-mx01.addr.com [209.249.147.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 237AF43E3B; Tue, 23 Jul 2002 22:30:59 -0700 (PDT) (envelope-from torvalds@addr.com) Received: from proxy1.addr.com (proxy1.addr.com [209.249.147.28]) by addr-mx01.addr.com (8.12.2/8.12.2) with ESMTP id g6O5UwNB018221; Tue, 23 Jul 2002 22:30:58 -0700 (PDT) Received: from TS22 ([202.71.153.170]) by proxy1.addr.com (8.11.6/8.9.1) with ESMTP id g6O5UuO53985; Tue, 23 Jul 2002 22:30:57 -0700 (PDT) (envelope-from torvalds@addr.com)(envelope-to ) Message-ID: <004d01c232d3$352683c0$9600a8c0@blraddrcom> From: "Naga Suresh B" To: Cc: Subject: problem with portforwarding Date: Wed, 24 Jul 2002 11:00:20 +0530 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Scanned-By: MIMEDefang 2.15 (www dot roaringpenguin dot com slash mimedefang) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hai, We are facing a problem in configuring the portforwarding on our gateway. We are having a gateway with two network cards one with external ip(xxx.xxx.xxx.170) and another one with internal ip(192.168.0.200). We Created an alias ip for another external ip(xxx.xxx.xxx.172) and we had done portforwarding 443 to another internal ip (192.168.0.203) on another fbsd machine. We added the following line in the natd.conf on 192.168.0.200 redirect_port tcp 192.168.0.203:443 xxx.xxx.xxx.172:443 redirect_port tcp 192.168.0.203:22 xxx.xxx.xxx.172:22 We are running ipfw on the 192.168.0.200. We are running httpd on both the machines. After doing portforwarding when we are trying to access the application from outside xxx.xxx.xxx.172 is working fine. But we are not able to access the application on 172 from inside with public ip and we are able to access the application with 192.168.0.203. Also the name does not resolve for the IP xxx.xxx.xxx.172 from the internal network where as the same thing happens from outside. How do we solve this? Please Give the solution as early as possible and plz help us. Regards, Naga Suresh B To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jul 24 10:15:56 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4869937B400; Wed, 24 Jul 2002 10:15:41 -0700 (PDT) Received: from smtpzilla2.xs4all.nl (smtpzilla2.xs4all.nl [194.109.127.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03C0943E86; Wed, 24 Jul 2002 10:15:39 -0700 (PDT) (envelope-from danny@legalaliens.org) Received: from llama (allxs.xs4all.nl [194.109.223.7]) by smtpzilla2.xs4all.nl (8.12.0/8.12.0) with SMTP id g6OHFb8P027395; Wed, 24 Jul 2002 19:15:38 +0200 (CEST) Message-ID: <000101c23335$b31a6550$0164a8c0@llama> From: "Danny Carroll" To: , , Subject: Dummynet queues and one-pass Date: Wed, 24 Jul 2002 19:15:24 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Dummynet queues and one-passI am just starting to look at Dummynet to try and tune my ADSL connection. My problem is that an upload from my end at full rate cripples the download. I *thought* this was to do with ack packets not getting through but now I am not so sure so I guess if there are any TCP/IP guru's out there, then comments on this (common) issue are welcome. My copies of Internetworking with TCP/IP Vols I, II, and III have been lent to a non-returner.... :( So. I have 1024Kbit down and 256Kbit up. If I upload something, I get about 23-25KBytes/sec If I Download something I get about 110KBytes / sec. If I do both at the same time, the rates drop to 16 and 89 respectivly. Actually the Upload xfer just stops and starts. These tests were to an FTP server at my ISP with a 15MB binary file) I left one_pass at 1 and added 4 rules to my ipfw. add 10 pipe 1 tcp from any to [ftpserveraddress] tcpflags ack add 20 pipe 1 tcp from [ftpserveraddress] to any tcpflags ack add 30 pipe 2 tcp from any to [ftpserveraddress] tcpflags !ack add 40 pipe 2 tcp from [ftpserveraddress] to any tcpflags !ack Then I configured both pipes to have 2048 bandwidth. (I do not want to limit the flow..) But looking at ipfw show, I noticed the ack rules (10 and 20) were the ones matching most of the data and packets. 30 and 40 were only matching a few. So I didn't bother to configure the queues for giving priority to the ack packets (which is what I *thought* I should do) because I didn't understand what I was seeing. If most packets are ack packets, what packets types are the ones that I need to give more priority to so that my up/down connections will not stall? Any comments? One other question.... With reguard to 1pass. If I set that to 0, which rules apply to my data? I mean if the packet hits 3 deny rules then 1 allow, will it allow still? Does it go through all the rules and just apply the last one? And what performance hit should I expect when I start using 1pass = 0? -D ----------------------------------------------------------------- ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. ---------------------------------------------------------------------------- ------------------------------------------------------ ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. ---------------------------------------------------------------------------- ------------------------------------------------------ ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. ---------------------------------------------------------------------------- ------------------------------------------------------ ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. ---------------------------------------------------------------------------- ------------------------------------------------------ ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. ---------------------------------------------------------------------------- ------------------------------------------------------ ATTENTION: The information in this electronic mail message is private and confidential, and only intended for the addressee. Should you receive this message by mistake, you are hereby notified that any disclosure, reproduction, distribution or use of this message is strictly prohibited. Please inform the sender by reply transmission and delete the message without copying or opening it. Messages and attachments are scanned for all viruses known. If this message contains password-protected attachments, the files have NOT been scanned for viruses by the ING mail domain. Always scan attachments before opening them. ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 25 0:16:59 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79EF137B400 for ; Thu, 25 Jul 2002 00:16:57 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4182143E6A for ; Thu, 25 Jul 2002 00:16:57 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6P7Gqw95045; Thu, 25 Jul 2002 00:16:52 -0700 (PDT) (envelope-from rizzo) Date: Thu, 25 Jul 2002 00:16:52 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Subject: RFC: ipfw behaviour with non IPv4 packets Message-ID: <20020725001652.A94913@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I would like your input here on the following issue. The original "ipfw" would only see IPv4 packets, so given a rule of the form ip from to the "ip" protocol specifier effectively meant "any packet" (and "any" is in fact a synonym for "ip"). IPFW2 also sees non-ipv4 packets, so in some cases (e.g. when no other fields refer to IPv4 information, say "ip from any to any") the rule can be ambiguous. As a matter of fact, the way I have implemented it now is "ip" = "any" --> any packet, ipv4 or not You can have the same ambiguity when you specify a protocol like "tcp" or "udp" -- do you want these rules to match only "*-over-ip4" or ipv6 as well ? I am a bit uncertain on what is the best path, but i believe a reasonable one is to assume "ip" = "any" --> any IP packet (v4 or v6) and similarly "proto" --> any packet of protocol "proto" over IP (v4 or v6) Comments ? thanks luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 25 2: 6:41 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5EE2837B400 for ; Thu, 25 Jul 2002 02:06:39 -0700 (PDT) Received: from skynet.stack.nl (insgate.stack.nl [131.155.140.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C3C5843E3B for ; Thu, 25 Jul 2002 02:06:38 -0700 (PDT) (envelope-from marcolz@stack.nl) Received: from toad.stack.nl (toad.stack.nl [2001:610:1108:5010:202:b3ff:fe17:9e1a]) by skynet.stack.nl (Postfix) with ESMTP id 7F5054011; Thu, 25 Jul 2002 11:06:34 +0200 (CEST) Received: by toad.stack.nl (Postfix, from userid 333) id E045498D2; Thu, 25 Jul 2002 11:06:36 +0200 (CEST) Date: Thu, 25 Jul 2002 11:06:36 +0200 From: Marc Olzheim To: Luigi Rizzo Cc: ipfw@freebsd.org Subject: Re: RFC: ipfw behaviour with non IPv4 packets Message-ID: <20020725090636.GA39394@stack.nl> References: <20020725001652.A94913@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020725001652.A94913@iguana.icir.org> User-Agent: Mutt/1.4i X-Operating-System: FreeBSD toad.stack.nl 4.6-STABLE FreeBSD 4.6-STABLE X-URL: http://www.stack.nl/~marcolz/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > I am a bit uncertain on what is the best path, but i believe a > reasonable one is to assume > > "ip" = "any" --> any IP packet (v4 or v6) > > and similarly > > "proto" --> any packet of protocol "proto" over IP (v4 or v6) > > Comments ? Wouldn't that break backward compatibility with IPFW1 ? Marc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 25 2:35:15 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9177A37B400 for ; Thu, 25 Jul 2002 02:35:13 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5027E43E81 for ; Thu, 25 Jul 2002 02:35:13 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6P9ZAt96170; Thu, 25 Jul 2002 02:35:10 -0700 (PDT) (envelope-from rizzo) Date: Thu, 25 Jul 2002 02:35:10 -0700 From: Luigi Rizzo To: Marc Olzheim Cc: ipfw@FreeBSD.ORG Subject: Re: RFC: ipfw behaviour with non IPv4 packets Message-ID: <20020725023510.A96102@iguana.icir.org> References: <20020725001652.A94913@iguana.icir.org> <20020725090636.GA39394@stack.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020725090636.GA39394@stack.nl>; from marcolz@stack.nl on Thu, Jul 25, 2002 at 11:06:36AM +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jul 25, 2002 at 11:06:36AM +0200, Marc Olzheim wrote: > > I am a bit uncertain on what is the best path, but i believe a > > reasonable one is to assume > > > > "ip" = "any" --> any IP packet (v4 or v6) > > > > and similarly > > > > "proto" --> any packet of protocol "proto" over IP (v4 or v6) > > > > Comments ? > > Wouldn't that break backward compatibility with IPFW1 ? on one hand, yes. on the other hand, ipfw1 is not supposed to see anything else but ipv4 packets in my view this gives us a reasonable amount of backward compatibility, and we can even provide switches (sysctl i would say) to achieve even stricter ipfw1 compatibility. in any case, i do not care too much -- i have no strong interest in v6 so either way is fine with me. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 25 2:51:21 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F30A537B400 for ; Thu, 25 Jul 2002 02:51:18 -0700 (PDT) Received: from skynet.stack.nl (insgate.stack.nl [131.155.140.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8449A43E6E for ; Thu, 25 Jul 2002 02:51:18 -0700 (PDT) (envelope-from marcolz@stack.nl) Received: from toad.stack.nl (toad.stack.nl [2001:610:1108:5010:202:b3ff:fe17:9e1a]) by skynet.stack.nl (Postfix) with ESMTP id A69F64012; Thu, 25 Jul 2002 11:51:14 +0200 (CEST) Received: by toad.stack.nl (Postfix, from userid 333) id 5913998D1; Thu, 25 Jul 2002 11:51:17 +0200 (CEST) Date: Thu, 25 Jul 2002 11:51:17 +0200 From: Marc Olzheim To: Luigi Rizzo Cc: Marc Olzheim , ipfw@FreeBSD.ORG Subject: Re: RFC: ipfw behaviour with non IPv4 packets Message-ID: <20020725095117.GA48178@stack.nl> References: <20020725001652.A94913@iguana.icir.org> <20020725090636.GA39394@stack.nl> <20020725023510.A96102@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020725023510.A96102@iguana.icir.org> User-Agent: Mutt/1.4i X-Operating-System: FreeBSD toad.stack.nl 4.6-STABLE FreeBSD 4.6-STABLE X-URL: http://www.stack.nl/~marcolz/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > Wouldn't that break backward compatibility with IPFW1 ? > > on one hand, yes. > on the other hand, ipfw1 is not supposed to see > anything else but ipv4 packets > > in my view this gives us a reasonable amount of backward > compatibility, and we can even provide switches (sysctl > i would say) to achieve even stricter ipfw1 compatibility. That would be the nice way to do it. During a transition period you could have the strict compatibility as default. > > in any case, i do not care too much -- i have no strong > interest in v6 so either way is fine with me. I do. I welcome support for IPv6 in ipfw2 itself, instead of the separate ip6fw stuff, but a smooth transition would be nice. Marc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 25 3:40:37 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1122E37B400 for ; Thu, 25 Jul 2002 03:40:35 -0700 (PDT) Received: from zibbi.icomtek.csir.co.za (zibbi.icomtek.csir.co.za [146.64.24.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id E928743E70 for ; Thu, 25 Jul 2002 03:40:29 -0700 (PDT) (envelope-from jhay@zibbi.icomtek.csir.co.za) Received: (from jhay@localhost) by zibbi.icomtek.csir.co.za (8.11.6/8.11.6) id g6PAe5C64282; Thu, 25 Jul 2002 12:40:05 +0200 (SAT) (envelope-from jhay) From: John Hay Message-Id: <200207251040.g6PAe5C64282@zibbi.icomtek.csir.co.za> Subject: Re: RFC: ipfw behaviour with non IPv4 packets In-Reply-To: <20020725001652.A94913@iguana.icir.org> from Luigi Rizzo at "Jul 25, 2002 00:16:52 am" To: rizzo@icir.org (Luigi Rizzo) Date: Thu, 25 Jul 2002 12:40:05 +0200 (SAT) Cc: ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Hi, > I would like your input here on the following issue. > > > The original "ipfw" would only see IPv4 packets, so given a rule > of the form > > ip from to > > the "ip" protocol specifier effectively meant "any packet" (and > "any" is in fact a synonym for "ip"). > > IPFW2 also sees non-ipv4 packets, so in some cases (e.g. when no > other fields refer to IPv4 information, say "ip from any to any") > the rule can be ambiguous. As a matter of fact, the way I have > implemented it now is > > "ip" = "any" --> any packet, ipv4 or not > > You can have the same ambiguity when you specify a protocol like > "tcp" or "udp" -- do you want these rules to match only "*-over-ip4" > or ipv6 as well ? > > I am a bit uncertain on what is the best path, but i believe a > reasonable one is to assume > > "ip" = "any" --> any IP packet (v4 or v6) > > and similarly > > "proto" --> any packet of protocol "proto" over IP (v4 or v6) > It would be nice if ipfw can support both ipv4 and ipv6. Then we only need one "thing" to manage it all. Maybe the current "proto" field should be split in two? The current "abuse" of it will make it difficult to be able to specify just one of them. Currently putting ipv6 in this field means ipv6 tunneled over ipv4, but I can see that it would be nice to have a way to specify that a certain rule is only for ipv6 or only for ipv4 packets. So that I can do things like: skipto 5 ipv6 proto all from any to any # Catch all native ipv6 packets allow ipv4 proto ipv6 from any to any # catch tunneled packets allow all proto tcp ... # catch both ipv4 and ipv6 packets John -- John Hay -- John.Hay@icomtek.csir.co.za / jhay@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 25 3:50:18 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D05D37B401 for ; Thu, 25 Jul 2002 03:50:14 -0700 (PDT) Received: from mail.alexdupre.com (212-41-211-209.adsl.galactica.it [212.41.211.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78BF343E84 for ; Thu, 25 Jul 2002 03:50:07 -0700 (PDT) (envelope-from sysadmin@alexdupre.com) Received: from thunder ([192.168.0.101]) by mail.alexdupre.com (MERAK 3.10.011) with ESMTP id F05B6CDE; Thu, 25 Jul 2002 12:58:36 +0200 Date: Thu, 25 Jul 2002 12:50:00 +0200 From: Alex Dupre X-Mailer: The Bat! (v1.60q) Reply-To: Alex Dupre X-Priority: 3 (Normal) Message-ID: <291005492511.20020725125000@alexdupre.com> To: John Hay Cc: ipfw@FreeBSD.ORG Subject: Re: RFC: ipfw behaviour with non IPv4 packets In-Reply-To: <200207251040.g6PAe5C64282@zibbi.icomtek.csir.co.za> References: <200207251040.g6PAe5C64282@zibbi.icomtek.csir.co.za> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thursday, July 25, 2002, 12:40:05 PM, you wrote: JH> It would be nice if ipfw can support both ipv4 and ipv6. Then we only need JH> one "thing" to manage it all. As Luigi told me, you can already do it by adding extra protocol specifier e.g. ipv4 tcp from any to any ipv6 udp from any to any So, I think "ip" should match either ipv4 or ipv6. -- Alex Dupre sysadmin@alexdupre.com http://www.alexdupre.com/ alex@sm.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 25 3:53:51 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD44337B400 for ; Thu, 25 Jul 2002 03:53:48 -0700 (PDT) Received: from arrakis.tiscali.no (arrakis.tiscali.no [213.142.66.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 405F143E6A for ; Thu, 25 Jul 2002 03:53:48 -0700 (PDT) (envelope-from needle+ipfw@verloid.net) Received: from dustpuppy.world-online.no (dustpuppy.world-online.no [213.142.66.194]) by arrakis.tiscali.no (Postfix) with SMTP id 8CFAE1FAF for ; Thu, 25 Jul 2002 12:53:46 +0200 (CEST) Received: by dustpuppy.world-online.no (sSMTP sendmail emulation); Thu, 25 Jul 2002 12:53:46 +0200 Date: Thu, 25 Jul 2002 12:53:46 +0200 From: "Jo B. Grasmo" To: ipfw@freebsd.org Subject: IPFW2 Message-ID: <20020725125346.A8987@dustpuppy.world-online.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i X-Operating-System: SunOS 5.7 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I upgraded to the latest -stable yesterday to check out ipfw2, and it loaded my ruleset perfectly, so 2 thumbs up so far. Given the extremely simple (and useless, I know) ruleset: # ipfw -at list 01000 0 0 check-state 01010 8 848 Thu Jul 25 12:43:43 2002 deny tcp from any to any established 01020 5862 587140 Thu Jul 25 12:43:58 2002 allow tcp from any to any setup keep-state 65535 17407 2155622 Thu Jul 25 12:43:07 2002 deny ip from any to any IPFW1 used to list connections matching dynamic rules explicitly. Has that functionality been removed or just hasn't it been implemented yet? On a side-note, I've never seen "check-state" counters increment. Shouldn't they? The rule obviously works, because if I remove it all connections die. IPFW1 also rewrote rules like this: ipfw add 2000 allow tcp from any to 10.1.1.1 22 in via xl0 setup keep-state into this: 02000 allow tcp from any to 10.1.1.1 22 keep-state in recv xl0 setup IPFW2 doesn't, which broke my scripts. One final question, when can we see IPFW2 as a kernel module? :-) Regards, Jo B. Grasmo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 25 10:28:36 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D031937B405 for ; Thu, 25 Jul 2002 10:28:31 -0700 (PDT) Received: from smtp.noos.fr (claudel.noos.net [212.198.2.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5D0843E42 for ; Thu, 25 Jul 2002 10:28:30 -0700 (PDT) (envelope-from root@gits.dyndns.org) Received: (qmail 34400288 invoked by uid 0); 25 Jul 2002 17:28:29 -0000 Received: from unknown (HELO gits.gits.dyndns.org) ([212.198.229.153]) (envelope-sender ) by 212.198.2.83 (qmail-ldap-1.03) with SMTP for ; 25 Jul 2002 17:28:29 -0000 Received: from gits.gits.dyndns.org (zq1xw2di583oogs7@localhost [127.0.0.1]) by gits.gits.dyndns.org (8.12.5/8.12.5) with ESMTP id g6PHSSq4071784; Thu, 25 Jul 2002 19:28:28 +0200 (CEST) (envelope-from root@gits.dyndns.org) Received: (from root@localhost) by gits.gits.dyndns.org (8.12.5/8.12.5/Submit) id g6PHSSlF071783; Thu, 25 Jul 2002 19:28:28 +0200 (CEST) (envelope-from root) Date: Thu, 25 Jul 2002 19:28:28 +0200 From: Cyrille Lefevre To: "Jo B. Grasmo" Cc: ipfw@FreeBSD.ORG Subject: Re: IPFW2 Message-ID: <20020725172828.GG58642@gits.dyndns.org> References: <20020725125346.A8987@dustpuppy.world-online.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020725125346.A8987@dustpuppy.world-online.no> User-Agent: Mutt/1.3.99i Organization: ACME X-Face: V|+c;4!|B?E%BE^{E6);aI.[< List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jul 25, 2002 at 12:53:46PM +0200, Jo B. Grasmo wrote: > > One final question, when can we see IPFW2 as a kernel module? :-) > IMHO, modifying sys/modules/ipfw/Makefile as in -current should suffice. (not tested, yet, sorry.) Index: /sys/modules/ipfw/Makefile =================================================================== RCS file: /home/ncvs/src/sys/modules/ipfw/Makefile,v retrieving revision 1.11 diff -u -r1.11 Makefile --- /sys/modules/ipfw/Makefile 28 Aug 1999 00:47:21 -0000 1.11 +++ /sys/modules/ipfw/Makefile 25 Jul 2002 17:25:07 -0000 @@ -2,9 +2,10 @@ .PATH: ${.CURDIR}/../../netinet KMOD= ipfw -SRCS= ip_fw.c +SRCS= ip_fw2.c NOMAN= CFLAGS+= -DIPFIREWALL +CFLAGS+= -DIPFW2 # #If you want it verbose #CFLAGS+= -DIPFIREWALL_VERBOSE Cyrille. -- Cyrille Lefevre mailto:cyrille.lefevre@laposte.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 25 10:43: 7 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7068037B400 for ; Thu, 25 Jul 2002 10:43:04 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D5C143E42 for ; Thu, 25 Jul 2002 10:43:04 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6PHgut01007; Thu, 25 Jul 2002 10:42:56 -0700 (PDT) (envelope-from rizzo) Date: Thu, 25 Jul 2002 10:42:56 -0700 From: Luigi Rizzo To: "Jo B. Grasmo" Cc: ipfw@FreeBSD.ORG Subject: Re: IPFW2 Message-ID: <20020725104256.B806@iguana.icir.org> References: <20020725125346.A8987@dustpuppy.world-online.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020725125346.A8987@dustpuppy.world-online.no>; from needle+ipfw@verloid.net on Thu, Jul 25, 2002 at 12:53:46PM +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jul 25, 2002 at 12:53:46PM +0200, Jo B. Grasmo wrote: ... > 01000 0 0 check-state > 01010 8 848 Thu Jul 25 12:43:43 2002 deny tcp from any to any established > 01020 5862 587140 Thu Jul 25 12:43:58 2002 allow tcp from any to any setup keep-state > 65535 17407 2155622 Thu Jul 25 12:43:07 2002 deny ip from any to any > > IPFW1 used to list connections matching dynamic rules explicitly. Has > that functionality been removed or just hasn't it been implemented > yet? you need to do ipfw -d list (the -d flag has been in for some time now). > On a side-note, I've never seen "check-state" counters increment. > Shouldn't they? The rule obviously works, because if I remove it all they always increment the parent of the dynamic rule. > connections die. > > IPFW1 also rewrote rules like this: > ipfw add 2000 allow tcp from any to 10.1.1.1 22 in via xl0 setup keep-state > into this: > 02000 allow tcp from any to 10.1.1.1 22 keep-state in recv xl0 setup > > IPFW2 doesn't, which broke my scripts. because "via" is different from "recv" :) though i agree that "in via" can never match an output interface because there isn't one. cheers luigi > One final question, when can we see IPFW2 as a kernel module? :-) > > > Regards, > > Jo B. Grasmo > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 25 11:42:32 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC59E37B492 for ; Thu, 25 Jul 2002 11:42:25 -0700 (PDT) Received: from grumpy.dyndns.org (user-24-214-34-52.knology.net [24.214.34.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB07A43E3B for ; Thu, 25 Jul 2002 11:42:24 -0700 (PDT) (envelope-from dkelly@grumpy.dyndns.org) Received: from grumpy.dyndns.org (localhost [127.0.0.1]) by grumpy.dyndns.org (8.12.5/8.12.5) with ESMTP id g6PIgIOO002087 for ; Thu, 25 Jul 2002 13:42:18 -0500 (CDT) (envelope-from dkelly@grumpy.dyndns.org) Received: (from dkelly@localhost) by grumpy.dyndns.org (8.12.5/8.12.5/Submit) id g6PIgHhe002086 for ipfw@FreeBSD.ORG; Thu, 25 Jul 2002 13:42:17 -0500 (CDT) Date: Thu, 25 Jul 2002 13:42:17 -0500 From: David Kelly To: ipfw@FreeBSD.ORG Subject: Re: IPFW2 Message-ID: <20020725184217.GA2059@grumpy.dyndns.org> References: <20020725125346.A8987@dustpuppy.world-online.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020725125346.A8987@dustpuppy.world-online.no> User-Agent: Mutt/1.4i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jul 25, 2002 at 12:53:46PM +0200, Jo B. Grasmo wrote: > Hello, > > I upgraded to the latest -stable yesterday to check out ipfw2, and it > loaded my ruleset perfectly, so 2 thumbs up so far. Me too (or is that "me three"?) Other than playing with some of the new features is there a way to detect it is really IPFW2 which is loaded and running? I don't see any hints in dmesg to indicate anything has changed so I have doubts. I think this is the most likely place in dmesg's output to look: : IP packet filtering initialized, divert disabled, rule-based forwarding : enabled, default to deny, logging logging unlimited -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jul 26 15:20:48 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64D7A37B400 for ; Fri, 26 Jul 2002 15:20:45 -0700 (PDT) Received: from smtp020.tiscali.dk (smtp020.tiscali.dk [212.54.64.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13B9A43E4A for ; Fri, 26 Jul 2002 15:20:44 -0700 (PDT) (envelope-from needle+ipfw@verloid.net) Received: from cpmail.dk.tiscali.com (mail.tiscali.dk [212.54.64.159]) by smtp020.tiscali.dk (8.12.5/8.12.5) with ESMTP id g6QMKFXq025038 for ; Sat, 27 Jul 2002 00:20:40 +0200 (MEST) Received: from resentment.verloid.net (213.234.100.11) by cpmail.dk.tiscali.com (6.0.053) id 3D4117210000F607 for ipfw@freebsd.org; Sat, 27 Jul 2002 00:20:41 +0200 Received: from resentment.verloid.net (localhost.verloid.net [127.0.0.1]) by resentment.verloid.net (8.9.3/8.9.3) with SMTP id AAA02309; Sat, 27 Jul 2002 00:08:32 +0200 (CEST) (envelope-from needle+ipfw@verloid.net) Received: by resentment.verloid.net (sSMTP sendmail emulation); Sat, 27 Jul 2002 00:08:31 +0200 Date: Sat, 27 Jul 2002 00:08:31 +0200 From: "Jo B. Grasmo" To: Luigi Rizzo Cc: ipfw@freebsd.org Subject: Re: IPFW2 Message-ID: <20020727000831.A2252@resentment.verloid.net> References: <20020725125346.A8987@dustpuppy.world-online.no> <20020725104256.B806@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020725104256.B806@iguana.icir.org>; from rizzo@icir.org on Thu, Jul 25, 2002 at 10:42:56AM -0700 X-Operating-System: FreeBSD 3.5-STABLE Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jul 25, 2002 at 10:42:56AM -0700, Luigi Rizzo wrote: | On Thu, Jul 25, 2002 at 12:53:46PM +0200, Jo B. Grasmo wrote: (...) | > IPFW1 also rewrote rules like this: | > ipfw add 2000 allow tcp from any to 10.1.1.1 22 in via xl0 setup keep-state | > into this: | > 02000 allow tcp from any to 10.1.1.1 22 keep-state in recv xl0 setup | > | > IPFW2 doesn't, which broke my scripts. | | because "via" is different from "recv" :) though i agree that | "in via" can never match an output interface because there isn't one. Quite, but also notice that "keep-state" is moved from after "setup" to after the port number. With IPFW2 you can add the "keep-state, setup, via, in, " options in almost whichever order you prefer, and they're displayed exactly like you typed them. The flexibility when adding rules might be nice, but I'd like some consistency when they are displayed. Examples: allow tcp from any to 10.1.1.1 22 setup setup setup allow tcp from any to 10.1.1.1 22 setup in keep-state via xl0 setup allow tcp from any to 10.1.1.1 22 keep-state setup in via xl0 via lo0 in via xl1 All 3 seem to work, but what exactly the side-effects of the last one are I haven't had a chance to test yet. I discovered another curiosity. This rule works as expected: allow tcp from any to 10.1.1.1 22 via xl0 in setup keep-state But this seems to also trigger on already established connections: allow tcp from any to 10.1.1.1 22 keep-state in via xl0 setup Having "65000 allow ip from any to any" and adding the above rule results in this: # ipfw -atd list 01000 36 3216 Fri Jul 26 23:46:03 2002 allow tcp from any to 10.1.1.1 22 keep-state in via xl0 setup 65000 9983 1629861 Fri Jul 26 23:46:03 2002 allow ip from any to any 65535 216625 26858297 Thu Jul 25 13:17:10 2002 deny ip from any to any ## Dynamic rules (1): 01000 8 704 (1s) STATE tcp 10.1.1.2 3807 <-> 10.1.1.1 22 If I have 2 connections open to the box when I add the rule, and there's activity on both connections, I get 2 dynamic rules like the one above listed. Of course, I'm also getting a lot of "/kernel: install_state: entry already present, done" in my logs, so I'm guessing this is related to the overloading you mentioned earlier. Regards, Jo B. Grasmo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jul 26 15:38:29 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E88E837B400 for ; Fri, 26 Jul 2002 15:38:27 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DA8343E42 for ; Fri, 26 Jul 2002 15:38:27 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6QMcON13465; Fri, 26 Jul 2002 15:38:24 -0700 (PDT) (envelope-from rizzo) Date: Fri, 26 Jul 2002 15:38:24 -0700 From: Luigi Rizzo To: "Jo B. Grasmo" Cc: ipfw@FreeBSD.ORG Subject: Re: IPFW2 Message-ID: <20020726153824.G12623@iguana.icir.org> References: <20020725125346.A8987@dustpuppy.world-online.no> <20020725104256.B806@iguana.icir.org> <20020727000831.A2252@resentment.verloid.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020727000831.A2252@resentment.verloid.net>; from needle+ipfw@verloid.net on Sat, Jul 27, 2002 at 12:08:31AM +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Jul 27, 2002 at 12:08:31AM +0200, Jo B. Grasmo wrote: ... > Quite, but also notice that "keep-state" is moved from after "setup" to so, keep-state is certainly meant to be the last opcode in a rule, i will update the userland and the kernel to make sure that this condition is verified. Other options can be in arbitrary order, and I think that trying to make the code print in a specified order is not worth pursuing, especially given that you can have OR blocks now. But it is all a matter of adding complexity to the userland part, so if there are volunteers I'll be glad to integrate the code in ipfw2.c cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jul 27 11:44:10 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27EFC37B400; Sat, 27 Jul 2002 11:44:07 -0700 (PDT) Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by mx1.FreeBSD.org (Postfix) with SMTP id 97C0743E42; Sat, 27 Jul 2002 11:44:06 -0700 (PDT) (envelope-from dpelleg@gs166.sp.cs.cmu.edu) To: Luigi Rizzo Cc: ipfw@freebsd.org Subject: Re: HEADS-UP ipfw now in -stable (as an optional replacement of the old ipfw) References: <20020723202849.A82296@iguana.icir.org> From: Dan Pelleg Date: 27 Jul 2002 14:43:35 -0400 In-Reply-To: <20020723202849.A82296@iguana.icir.org> Message-ID: Lines: 63 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi Rizzo writes: > FYI.... > > (please read the commit log below before complaining). > > cheers > luigi > > From: Luigi Rizzo > Subject: cvs commit: src/sys/netinet ip_fw2.c ip_fw2.h src/sys/conf files > options src/sbin/ipfw Makefile ipfw2.c src/lib/libalias Makefile > alias_db.c > To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG > Date: Tue, 23 Jul 2002 20:21:24 -0700 (PDT) > > > luigi 2002/07/23 20:21:24 PDT > > Modified files: (Branch: RELENG_4) > sys/conf options files > sbin/ipfw Makefile > lib/libalias Makefile alias_db.c > Added files: (Branch: RELENG_4) > sys/netinet ip_fw2.h ip_fw2.c > sbin/ipfw ipfw2.c > Log: > Bring ipfw2 into the -stable tree. This will give more people a > chance to test it, and hopefully accelerate the transition from the > old to the new ipfw code. > > NOTE: THIS COMMIT WILL NOT CHANGE THE FIREWALL YOU USE, > NOR A SINGLE BIT IN YOUR KERNEL AND BINARIES. > YOU WILL KEEP USING YOUR OLD "ipfw" UNLESS YOU: > > + add "options IPFW2" (undocumented) to your kernel config file; > > + compile and install sbin/ipfw and lib/libalias with > make -DIPFW2 > > in other words, you must really want it. > I need some help here. Does this mean: 1. change kernel config to include IPFW2 2. buildworld, buildkernel, installkernel, installworld 3. cd to /usr/src/sbin/ipfw and make -DIPFW2 ; make -DIPFW2 install 4. cd to /usr/src/lib/libalias and make -DIPFW2 ; make -DIPFW2 install I got it to work that way but I have doubts since it won't work when the build machine is not the same one as the installed machine. Also, as others suggested, it would be nice to have a way to detect if IPFW2 is in the running kernel and what flavor the installed ipfw(8) is. Currently, it's just too easy to mismatch kernel and userland and end up with a kernel that's defaulting to deny and no userland tool to add any rules to it. I just got that on a machine that installs its world and kernel over NFS - ouch. -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message