From owner-freebsd-ipfw Tue Aug 20 5:42:15 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A80537B400; Tue, 20 Aug 2002 05:42:07 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A80543E4A; Tue, 20 Aug 2002 05:42:07 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: from iguana.icir.org (localhost [127.0.0.1]) by iguana.icir.org (8.12.3/8.11.3) with ESMTP id g7KCg6Ib046009; Tue, 20 Aug 2002 05:42:06 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.12.3/8.12.3/Submit) id g7KCg6Au046008; Tue, 20 Aug 2002 05:42:06 -0700 (PDT) (envelope-from rizzo) Date: Tue, 20 Aug 2002 05:42:06 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Subject: ambiguity of filter expressions (tcpdump and ipfw2) Message-ID: <20020820054206.A45915@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [Bcc to -net, but please keep the discussion on -ipfw] Hi, we have the following issue (both in tcpdump and ipfw2): when you specify a match pattern that is not applicable to the packet being processed (e.g. "src-port 80" on an ICMP packet), the match will simply fail and the packet will not be selected. However, when you put in a "not" operator (as in "not src-port 80") there are really two ways to implement the operation: 1. the basic match fails, so its negation will succeed. This is the way tcpdump operates (try a "tcpdump not port 80" and see how it matches all sort of non-tcp traffic), and also ipfw2 does the same thing for consistency with tcpdump (that is the official excuse -- in reality, i did not think of the issue in the first place, maybe the same happened to the tcpdump/libpcap authors). 2. The match operator is "not applicable" so both the direct form and the negation will fail. Now, using the first approach in a firewall might be somewhat dangerous, in the sense that, yes, the rule does exactly what you write, but that might not be what you really want. E.g. consider ipfw add allow not src-port 80 which could be meant to pass all tcp traffic not coming from a web server -- however, this rule would also leak all non-tcp and non-udp packets. The correct way to express the rule is of course to to include a "proto tcp" match pattern, but sometimes this can escape. The second approach would prevent such mistakes, though it might be non-obvious to people used to tcpdump syntax (although, i suspect "not" operators are not widely used there either). So, what do we do ? Implementing the second behavior requires rather trivial changes in the kernel, and no changes in the kernel-user interface or in the userland programs. ipfw2 syntax is not yet widely used so changing between one mode and the other would not give too much trouble to people. It might even be possible to provide a sysctl variable to choose between the two behaviours, though i'd rather not do that because it has a little bit of impact on run-time performance, and also because having yet another tunable increases confusion. I'd be inclined to leave things as they are, surely remark the issue in the manpage, and maybe make ipfw2 print out a "Warning" message about the use of a potentially unsafe match pattern, same as the compiler does when you use a "gets". Opinions anyone ? cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone: (510) 666 2927 ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 20 8:36:31 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38FB737B400; Tue, 20 Aug 2002 08:36:26 -0700 (PDT) Received: from hotmail.com (f191.law9.hotmail.com [64.4.9.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE0E943E70; Tue, 20 Aug 2002 08:36:25 -0700 (PDT) (envelope-from anakfreebsd@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 20 Aug 2002 08:36:25 -0700 Received: from 202.150.80.78 by lw9fd.law9.hotmail.msn.com with HTTP; Tue, 20 Aug 2002 15:36:25 GMT X-Originating-IP: [202.150.80.78] From: "anak freebsd" To: freebsd-ipfw@freebsd.org Cc: freebsd-questions@FreeBSD.ORG Subject: dummy net wiht ip aliases Date: Tue, 20 Aug 2002 15:36:25 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 20 Aug 2002 15:36:25.0985 (UTC) FILETIME=[5845AF10:01C2485F] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hi i tried to limit every client using dummy net but it seem that dummy net didnt work at all here is in my rc.conf: ifconfig_vr0="inet 64.62.215.14 netmask 255.255.255.252" ifconfig_rl0_alias0="inet 64.62.214.9 netmask 255.255.255.248" ifconfig_rl0_alias1="inet 64.62.214.33 netmask 255.255.255.224" ifconfig_rl1="inet 192.168.1.2 netmask 255.255.255.252" gateway_enable="YES" firewall_enable="YES" firewall_script="/etc/ipfw.conf" and in my ipfw.conf: (this rules works ) ipfw add 52 pipe 100 ip from 64.62.214.34 to any out via vr0 ipfw add 53 pipe 110 ip from any to 64.62.214.34 in via vr0 ipfw pipe 100 config bw 64Kbit/s queue 4Kbytes ipfw pipe 110 config bw 64Kbit/s queue 4Kbytes (this rule doesnt work at all) ipfw add 50 pipe 30 ip from 64.62.214.9 to any in via rl0 ipfw add 51 pipe 31 ip from any to 64.62.214.9 out via rl0 ipfw pipe 30 config bw 128Kbit/s queue 8Kbytes ipfw pipe 31 config bw 128Kbit/s queue 8Kbytes ipfw add 48 pipe 28 ip from 64.62.214.10 to any in via rl0 ipfw add 49 pipe 29 ip from any to 64.62.214.10 out via rl0 ipfw pipe 28 config bw 256Kbit/s queue 8Kbytes ipfw pipe 29 config bw 256Kbit/s queue 8Kbytes ip 64.62.214.10 and 64.62.214.19 are gateway for 16 ip public is there any way that i can limit my client with dummy net or someting else? thank you anak freebsd _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 20 11:37:49 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92B3737B400 for ; Tue, 20 Aug 2002 11:37:45 -0700 (PDT) Received: from mailhost.iprg.nokia.com (mailhost.iprg.nokia.com [205.226.5.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1AB843E6E for ; Tue, 20 Aug 2002 11:37:44 -0700 (PDT) (envelope-from jre@iprg.nokia.com) Received: from darkstar.iprg.nokia.com (darkstar.iprg.nokia.com [205.226.5.69]) by mailhost.iprg.nokia.com (8.9.3/8.9.3-GLGS) with ESMTP id LAA08919; Tue, 20 Aug 2002 11:37:42 -0700 (PDT) Received: (from root@localhost) by darkstar.iprg.nokia.com (8.11.0/8.11.0-DARKSTAR) id g7KIbfH02108; Tue, 20 Aug 2002 11:37:41 -0700 X-mProtect: <200208201837> Nokia Silicon Valley Messaging Protection Received: from UNKNOWN (205.226.1.150, claiming to be "iprg.nokia.com") by darkstar.iprg.nokia.com smtpdc1iL8E; Tue, 20 Aug 2002 11:37:39 PDT Message-ID: <3D628C73.D5C85248@iprg.nokia.com> Date: Tue, 20 Aug 2002 11:37:39 -0700 From: Joe Eykholt Organization: Nokia IPRG X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: ambiguity of filter expressions (tcpdump and ipfw2) References: <20020820054206.A45915@iguana.icir.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG How about giving a syntax error if TCP or UDP (or some other (future) protocol where a port number IS applicable) isn't specified? That'd remove the ambiguity and alert any existing users to any problem in their rules. I'm not on the ipfw alias, and you don't need to reply to this suggestion. Joe Luigi Rizzo wrote: > > [Bcc to -net, but please keep the discussion on -ipfw] > > Hi, > we have the following issue (both in tcpdump and ipfw2): > > when you specify a match pattern that is not applicable to the > packet being processed (e.g. "src-port 80" on an ICMP packet), > the match will simply fail and the packet will not be selected. > > However, when you put in a "not" operator (as in "not src-port 80") > there are really two ways to implement the operation: > > 1. the basic match fails, so its negation will succeed. > This is the way tcpdump operates (try a "tcpdump not port 80" > and see how it matches all sort of non-tcp traffic), and also > ipfw2 does the same thing for consistency with tcpdump > (that is the official excuse -- in reality, i did not think of > the issue in the first place, maybe the same happened to > the tcpdump/libpcap authors). > > 2. The match operator is "not applicable" so both the > direct form and the negation will fail. > > Now, using the first approach in a firewall might be somewhat dangerous, > in the sense that, yes, the rule does exactly what you write, but > that might not be what you really want. E.g. consider > > ipfw add allow not src-port 80 > > which could be meant to pass all tcp traffic not coming from a web > server -- however, this rule would also leak all non-tcp and non-udp > packets. The correct way to express the rule is of course to > to include a "proto tcp" match pattern, but sometimes this can escape. > The second approach would prevent such mistakes, though it might > be non-obvious to people used to tcpdump syntax (although, i suspect > "not" operators are not widely used there either). > > So, what do we do ? Implementing the second behavior requires rather > trivial changes in the kernel, and no changes in the kernel-user > interface or in the userland programs. ipfw2 syntax is not yet > widely used so changing between one mode and the other would not > give too much trouble to people. It might even be possible to provide > a sysctl variable to choose between the two behaviours, though i'd > rather not do that because it has a little bit of impact on run-time > performance, and also because having yet another tunable increases > confusion. > > I'd be inclined to leave things as they are, surely remark the issue > in the manpage, and maybe make ipfw2 print out a "Warning" message > about the use of a potentially unsafe match pattern, same as the > compiler does when you use a "gets". > > Opinions anyone ? > > cheers > luigi > ----------------------------------+----------------------------------------- > Luigi RIZZO, luigi@iet.unipi.it . ICSI (on leave from Univ. di Pisa) > http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 > Phone: (510) 666 2927 > ----------------------------------+----------------------------------------- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- Joe Eykholt jre@iprg.nokia.com Nokia Internet Communications 313 Fairchild Drive, Mountain View, CA 94043 http://www.nokia.com/securitysolutions/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 20 17: 5: 5 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCA2337B400 for ; Tue, 20 Aug 2002 17:05:02 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CD3D43E42 for ; Tue, 20 Aug 2002 17:05:02 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020821000501.IFUS13899.sccrmhc02.attbi.com@blossom.cjclark.org>; Wed, 21 Aug 2002 00:05:01 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g7L050JK070902; Tue, 20 Aug 2002 17:05:00 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g7L04x4Y070901; Tue, 20 Aug 2002 17:04:59 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 20 Aug 2002 17:04:59 -0700 From: "Crist J. Clark" To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: ambiguity of filter expressions (tcpdump and ipfw2) Message-ID: <20020821000459.GB70203@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20020820054206.A45915@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020820054206.A45915@iguana.icir.org> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Aug 20, 2002 at 05:42:06AM -0700, Luigi Rizzo wrote: [snip] > I'd be inclined to leave things as they are, surely remark the issue > in the manpage, and maybe make ipfw2 print out a "Warning" message > about the use of a potentially unsafe match pattern, same as the > compiler does when you use a "gets". > > Opinions anyone ? The current behavior makes logical sense. If someone wants to get complicated and do something like (I'll write in BPF rules since I'm not up on ipfw2), icmp || (tcp && port 80) Would the "applicability" checks kick in? Or only when there is a negation? For mathematical consistency, !( icmp || (tcp && port 80)) Must give the same result as, !icmp && !(tcp && port 80) And these "aplicability" rules seem to break it. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 20 22:25:44 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79A3C37B400; Tue, 20 Aug 2002 22:25:41 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2410543E72; Tue, 20 Aug 2002 22:25:41 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: from iguana.icir.org (localhost [127.0.0.1]) by iguana.icir.org (8.12.3/8.11.3) with ESMTP id g7L5PeIb053603; Tue, 20 Aug 2002 22:25:40 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.12.3/8.12.3/Submit) id g7L5PeWh053602; Tue, 20 Aug 2002 22:25:40 -0700 (PDT) (envelope-from rizzo) Date: Tue, 20 Aug 2002 22:25:40 -0700 From: Luigi Rizzo To: "Crist J. Clark" Cc: ipfw@FreeBSD.ORG Subject: Re: ambiguity of filter expressions (tcpdump and ipfw2) Message-ID: <20020820222540.A53549@iguana.icir.org> References: <20020820054206.A45915@iguana.icir.org> <20020821000459.GB70203@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020821000459.GB70203@blossom.cjclark.org>; from crist.clark@attbi.com on Tue, Aug 20, 2002 at 05:04:59PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Aug 20, 2002 at 05:04:59PM -0700, Crist J. Clark wrote: ... > The current behavior makes logical sense. If someone wants to get > complicated and do something like (I'll write in BPF rules since I'm > not up on ipfw2), > > icmp || (tcp && port 80) > > Would the "applicability" checks kick in? Or only when there is a > negation? For mathematical consistency, The problem is that "non-applicable" tests should fail both ways, whereas now (both in libpcap and ipfw2) the implementor has to choose which one fails and which one succeeds (we both chose the direct form to fail and the negated form to succeed). There is not a lot of mathematical consistency even now -- if a field has a limited range, one would expect things like port 0-79 or port 81-65535 not port 80 to be the same thing, but they aren't... cheers luigi > !( icmp || (tcp && port 80)) > > Must give the same result as, > > !icmp && !(tcp && port 80) > > And these "aplicability" rules seem to break it. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 20 23:41:26 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0D5937B400 for ; Tue, 20 Aug 2002 23:41:21 -0700 (PDT) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 433BF43E4A for ; Tue, 20 Aug 2002 23:41:21 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020821064120.DGZD1746.rwcrmhc51.attbi.com@blossom.cjclark.org>; Wed, 21 Aug 2002 06:41:20 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g7L6fKJK072071; Tue, 20 Aug 2002 23:41:20 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g7L6fJiW072070; Tue, 20 Aug 2002 23:41:19 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 20 Aug 2002 23:41:19 -0700 From: "Crist J. Clark" To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: ambiguity of filter expressions (tcpdump and ipfw2) Message-ID: <20020821064119.GA72013@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020820054206.A45915@iguana.icir.org> <20020821000459.GB70203@blossom.cjclark.org> <20020820222540.A53549@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020820222540.A53549@iguana.icir.org> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Aug 20, 2002 at 10:25:40PM -0700, Luigi Rizzo wrote: > On Tue, Aug 20, 2002 at 05:04:59PM -0700, Crist J. Clark wrote: > ... > > The current behavior makes logical sense. If someone wants to get > > complicated and do something like (I'll write in BPF rules since I'm > > not up on ipfw2), > > > > icmp || (tcp && port 80) > > > > Would the "applicability" checks kick in? Or only when there is a > > negation? For mathematical consistency, > > The problem is that "non-applicable" tests should fail both ways, > whereas now (both in libpcap and ipfw2) the implementor has to > choose which one fails and which one succeeds (we both chose > the direct form to fail and the negated form to succeed). > > There is not a lot of mathematical consistency even now -- if a > field has a limited range, one would expect things like > > port 0-79 or port 81-65535 > not port 80 > > to be the same thing, but they aren't... Dunno if it is just me, but those don't look like the same thing even at a glance. 'port' implies a matching packet must also be TCP or UDP. I guess I automatically add the "implied conditions," port 0-79 or port 81-65535 == ((tcp || udp) && port 0-79) or ((tcp || udp) && port 81-65535) == (tcp || udp) && (port 0-79 || 81-65535) not port 80 == !((tcp || udp) && port 80) == !(tcp || udp) || !(port 80) Which _are_ clearly different. Anyway, I stick with the current behavior. If you want to say all TCP excluding port 80/tcp, then just say so, tcp && ! port 80 If you want _everything_ except 80/udp or 80/tcp, ! port 80 They are not the same thing, and they shouldn't be. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 20 23:53:22 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AC3D37B400 for ; Tue, 20 Aug 2002 23:53:20 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id A826A43E42 for ; Tue, 20 Aug 2002 23:53:19 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: from iguana.icir.org (localhost [127.0.0.1]) by iguana.icir.org (8.12.3/8.11.3) with ESMTP id g7L6rIIb054267; Tue, 20 Aug 2002 23:53:18 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.12.3/8.12.3/Submit) id g7L6rIld054266; Tue, 20 Aug 2002 23:53:18 -0700 (PDT) (envelope-from rizzo) Date: Tue, 20 Aug 2002 23:53:18 -0700 From: Luigi Rizzo To: cjclark@alum.mit.edu Cc: ipfw@FreeBSD.ORG Subject: Re: ambiguity of filter expressions (tcpdump and ipfw2) Message-ID: <20020820235317.B54133@iguana.icir.org> References: <20020820054206.A45915@iguana.icir.org> <20020821000459.GB70203@blossom.cjclark.org> <20020820222540.A53549@iguana.icir.org> <20020821064119.GA72013@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020821064119.GA72013@blossom.cjclark.org>; from crist.clark@attbi.com on Tue, Aug 20, 2002 at 11:41:19PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Aug 20, 2002 at 11:41:19PM -0700, Crist J. Clark wrote: ... > > There is not a lot of mathematical consistency even now -- if a > > field has a limited range, one would expect things like > > > > port 0-79 or port 81-65535 > > not port 80 > > > > to be the same thing, but they aren't... > > Dunno if it is just me, but those don't look like the same > thing even at a glance. 'port' implies a matching packet must also be > TCP or UDP. I guess I automatically add the "implied conditions," but you see, it is all around the "implied conditions" that are added behind the scenes. Limiting just to tcp for simplicity: You write "port 80" and you mean "tcp and port 80" (and this is really what the match engine does). Then when you write "not port 80" it is not obvious that the negation should go before or after the added tcp check -- both rewrites, "tcp and (not port 80)" or "not (tcp and port 80)" make sense. But the bottom line is that both agree to stick with the current behaviour. However i just wanted to point out that it can lead to unexpected leaks. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 21 0:32:16 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B95EE37B400 for ; Wed, 21 Aug 2002 00:32:14 -0700 (PDT) Received: from web12904.mail.yahoo.com (web12904.mail.yahoo.com [216.136.174.71]) by mx1.FreeBSD.org (Postfix) with SMTP id 7EDE043E3B for ; Wed, 21 Aug 2002 00:32:14 -0700 (PDT) (envelope-from john_resnier@yahoo.com) Message-ID: <20020821073213.94858.qmail@web12904.mail.yahoo.com> Received: from [208.38.8.48] by web12904.mail.yahoo.com via HTTP; Wed, 21 Aug 2002 00:32:13 PDT Date: Wed, 21 Aug 2002 00:32:13 -0700 (PDT) From: a a Subject: Policy routing using IPFW for multiple ISP's To: freebsd-ipfw@FreeBSD.ORG MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-2117792546-1029915133=:93084" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --0-2117792546-1029915133=:93084 Content-Type: text/plain; charset=us-ascii Here's my setup FreeBSD 4.6.2 box with 3 NICS Compiled with the following options options IPSTEALTH options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT options IPFIREWALL_FORWARD NIC1 - ed0 connected to my cable modem 24.86.xx.xx Default Gateway NIC2 - rl0 conected to my DSL Modem 199.185.xx.xx NIC3 - fxp0 connected to my LAN 192.168.1.1 Here's the current IPFW rules 00100 fwd DSL-Gateway ip from any to 66.25.xx.0/24 out xmit ed0 00200 divert 8668 ip from any to any via ed0 00200 divert 8669 ip from any to any via rl0 65000 allow ip from any to any What I'm trying to do is have all traffic go thru the cable connection except for traffic destined for the 66.25.xx.0/24 range. I would like that range to go thru the DSL connection. Currently its not working. Has anyone tried this before? Is this even possible? Thanks in advance John Resnier --------------------------------- Do You Yahoo!? HotJobs, a Yahoo! service - Search Thousands of New Jobs --0-2117792546-1029915133=:93084 Content-Type: text/html; charset=us-ascii

Here's my setup

FreeBSD 4.6.2 box with 3 NICS

Compiled with the following options
options         IPSTEALTH
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=100
options         IPDIVERT  
options         IPFIREWALL_FORWARD  

NIC1 - ed0 connected to my cable modem 24.86.xx.xx Default Gateway
NIC2 - rl0 conected to my DSL Modem 199.185.xx.xx
NIC3 - fxp0 connected to my LAN 192.168.1.1

Here's the current IPFW rules

00100 fwd DSL-Gateway ip from any to 66.25.xx.0/24 out xmit ed0
00200 divert 8668 ip from any to any via ed0
00200 divert 8669 ip from any to any via rl0
65000 allow ip from any to any

What I'm trying to do is have all traffic go thru the cable connection except for traffic destined for the 66.25.xx.0/24 range. I would like that range to go thru the DSL connection.  Currently its not working.  Has anyone tried this before?  Is this even possible? 

Thanks in advance

John Resnier




Do You Yahoo!?
HotJobs, a Yahoo! service - Search Thousands of New Jobs --0-2117792546-1029915133=:93084-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 21 2:15: 0 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADCB737B400 for ; Wed, 21 Aug 2002 02:14:58 -0700 (PDT) Received: from web9208.mail.yahoo.com (web9208.mail.yahoo.com [216.136.129.41]) by mx1.FreeBSD.org (Postfix) with SMTP id 84CCD43E72 for ; Wed, 21 Aug 2002 02:14:58 -0700 (PDT) (envelope-from freebsd_indo@yahoo.com) Message-ID: <20020821091458.78954.qmail@web9208.mail.yahoo.com> Received: from [202.154.42.82] by web9208.mail.yahoo.com via HTTP; Wed, 21 Aug 2002 02:14:58 PDT Date: Wed, 21 Aug 2002 02:14:58 -0700 (PDT) From: "Damhar S." Subject: ipfw for realplayer To: ipfw@FreeBSD.ORG In-Reply-To: <20020821000459.GB70203@blossom.cjclark.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi All, How do I configure my firewall ipfw rule sets to pass my clients behind this can play streaming movie or sound from site provided these services. Any example rules will be appreciated. Thank you very much Damhar __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 21 17:30:14 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 455A237B400 for ; Wed, 21 Aug 2002 17:30:04 -0700 (PDT) Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 627B443E3B for ; Wed, 21 Aug 2002 17:30:03 -0700 (PDT) (envelope-from archie@dellroad.org) Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id RAA96082; Wed, 21 Aug 2002 17:21:42 -0700 (PDT) Received: (from archie@localhost) by arch20m.dellroad.org (8.11.6/8.11.6) id g7M0Kue08368; Wed, 21 Aug 2002 17:20:56 -0700 (PDT) (envelope-from archie) From: Archie Cobbs Message-Id: <200208220020.g7M0Kue08368@arch20m.dellroad.org> Subject: Re: ambiguity of filter expressions (tcpdump and ipfw2) In-Reply-To: <20020820054206.A45915@iguana.icir.org> "from Luigi Rizzo at Aug 20, 2002 05:42:06 am" To: Luigi Rizzo Date: Wed, 21 Aug 2002 17:20:56 -0700 (PDT) Cc: ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi Rizzo writes: > when you specify a match pattern that is not applicable to the > packet being processed (e.g. "src-port 80" on an ICMP packet), > the match will simply fail and the packet will not be selected. > > However, when you put in a "not" operator (as in "not src-port 80") > there are really two ways to implement the operation: > > 1. the basic match fails, so its negation will succeed. > This is the way tcpdump operates (try a "tcpdump not port 80" > and see how it matches all sort of non-tcp traffic), and also > ipfw2 does the same thing for consistency with tcpdump > (that is the official excuse -- in reality, i did not think of > the issue in the first place, maybe the same happened to > the tcpdump/libpcap authors). > > 2. The match operator is "not applicable" so both the > direct form and the negation will fail. > > Now, using the first approach in a firewall might be somewhat dangerous, > in the sense that, yes, the rule does exactly what you write, but > that might not be what you really want. E.g. consider > > ipfw add allow not src-port 80 I think this problem is really caused by the 'optimization' of pcap(3) that allows you to say "dst port 80" when what you really mean is "udp dst port 80 or tcp dst port 80". If we got rid of that 'optimization' then your issue would become less of a problem, i.e., "allow not tcp dst port 80" pretty clearly is going to allow ICMP, etc. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 22 22:25:16 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E24F837B400 for ; Thu, 22 Aug 2002 22:25:13 -0700 (PDT) Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A04043E65 for ; Thu, 22 Aug 2002 22:25:13 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020823052512.ZZGL1186.rwcrmhc52.attbi.com@blossom.cjclark.org>; Fri, 23 Aug 2002 05:25:12 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g7N5P8JK082317; Thu, 22 Aug 2002 22:25:12 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g7N5P7Pt082316; Thu, 22 Aug 2002 22:25:07 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Thu, 22 Aug 2002 22:25:06 -0700 From: "Crist J. Clark" To: a a Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Policy routing using IPFW for multiple ISP's Message-ID: <20020823052506.GA82200@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20020821073213.94858.qmail@web12904.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020821073213.94858.qmail@web12904.mail.yahoo.com> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Aug 21, 2002 at 12:32:13AM -0700, a a wrote: > > Here's my setup > > FreeBSD 4.6.2 box with 3 NICS > > Compiled with the following options > options IPSTEALTH > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 > options IPDIVERT > options IPFIREWALL_FORWARD > > NIC1 - ed0 connected to my cable modem 24.86.xx.xx Default Gateway > NIC2 - rl0 conected to my DSL Modem 199.185.xx.xx > NIC3 - fxp0 connected to my LAN 192.168.1.1 > > > Here's the current IPFW rules > > 00100 fwd DSL-Gateway ip from any to 66.25.xx.0/24 out xmit ed0 > 00200 divert 8668 ip from any to any via ed0 > 00200 divert 8669 ip from any to any via rl0 > 65000 allow ip from any to any > > What I'm trying to do is have all traffic go thru the cable connection except for traffic destined for the 66.25.xx.0/24 range. I would like that range to go thru the DSL connection. Currently its not working. Has anyone tried this before? Is this even possible? You want to route by _destination?_ Uhh, why not just, # route add net 66.25.xx.0/24 You don't need 'fwd' or ipfw(8) to do that. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message