From owner-freebsd-ipfw Sun Nov 17 9:37:22 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66CF037B401 for ; Sun, 17 Nov 2002 09:37:21 -0800 (PST) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 837A543E3B for ; Sun, 17 Nov 2002 09:37:17 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 16581 invoked from network); 17 Nov 2002 17:37:16 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 17 Nov 2002 17:37:16 -0000 Message-ID: <3DD7D3CC.50701@tenebras.com> Date: Sun, 17 Nov 2002 09:37:16 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2 in RELENG_4_7 References: <200211130102.27773.john@jnielsen.net> <20021113003045.A35862@xorpc.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Some time ago (pre-ipfw2) there was a patch that caused stateful rules to log only the initial instantiation of the rule, rather than each packet. This is extremely useful, but I can't seem to make it work for ipfw2. Any suggestions? This would be a good feature to have, and arguably should be the default logging behavior. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Nov 17 9:39:56 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B06B37B401 for ; Sun, 17 Nov 2002 09:39:56 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C1D843E91 for ; Sun, 17 Nov 2002 09:39:55 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id gAHHdtAh017767; Sun, 17 Nov 2002 09:39:55 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.3/8.12.3/Submit) id gAHHdtAG017766; Sun, 17 Nov 2002 09:39:55 -0800 (PST) (envelope-from rizzo) Date: Sun, 17 Nov 2002 09:39:55 -0800 From: Luigi Rizzo To: Michael Sierchio Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2 in RELENG_4_7 Message-ID: <20021117093955.A17750@xorpc.icir.org> References: <200211130102.27773.john@jnielsen.net> <20021113003045.A35862@xorpc.icir.org> <3DD7D3CC.50701@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3DD7D3CC.50701@tenebras.com>; from kudzu@tenebras.com on Sun, Nov 17, 2002 at 09:37:16AM -0800 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Nov 17, 2002 at 09:37:16AM -0800, Michael Sierchio wrote: > > Some time ago (pre-ipfw2) there was a patch that caused stateful > rules to log only the initial instantiation of the rule, rather > than each packet. This is extremely useful, but I can't seem > to make it work for ipfw2. > > Any suggestions? This would be a good feature to have, and > arguably should be the default logging behavior. can you point me to the patch ? cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Nov 17 9:56:44 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC1BC37B401 for ; Sun, 17 Nov 2002 09:56:43 -0800 (PST) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 7FF4943E6E for ; Sun, 17 Nov 2002 09:56:43 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 16633 invoked from network); 17 Nov 2002 17:56:42 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 17 Nov 2002 17:56:42 -0000 Message-ID: <3DD7D859.1070903@tenebras.com> Date: Sun, 17 Nov 2002 09:56:41 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2 in RELENG_4_7 References: <200211130102.27773.john@jnielsen.net> <20021113003045.A35862@xorpc.icir.org> <3DD7D3CC.50701@tenebras.com> <20021117093955.A17750@xorpc.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > can you point me to the patch ? > I'm not sure it still works w/ipfw2, but it was: --- ip_fw.c Sun Jul 28 19:04:25 2002 +++ ip_fw.c.chg Sun Nov 17 09:51:00 2002 @@ -1461,7 +1461,7 @@ f->timestamp = time_second; /* Log to console if desired */ - if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose && hlen > 0) + if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose && hlen > 0 && q==NULL) ipfw_report(f, ip, offset, ip_len, rif, oif); /* Take appropriate action */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Nov 17 10:45:14 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6499E37B401 for ; Sun, 17 Nov 2002 10:45:13 -0800 (PST) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id DDCA843E6E for ; Sun, 17 Nov 2002 10:45:12 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 16760 invoked from network); 17 Nov 2002 18:45:12 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 17 Nov 2002 18:45:12 -0000 Message-ID: <3DD7E3B8.2030905@tenebras.com> Date: Sun, 17 Nov 2002 10:45:12 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Stateful rule logging behavior References: <200211130102.27773.john@jnielsen.net> <20021113003045.A35862@xorpc.icir.org> <3DD7D3CC.50701@tenebras.com> <20021117093955.A17750@xorpc.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Of course, it is possible to get the desired behavior by writing two rules instead of one: $fw add count log tcp from $ssh_hosts to $prv_net ssh setup $fw add allow tcp from $ssh_hosts to $prv_net ssh setup keep-state Unless you can think of something more innocuous than 'count' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Nov 18 2:32:50 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5640737B401 for ; Mon, 18 Nov 2002 02:32:49 -0800 (PST) Received: from mail.tcoip.com.br (erato.tco.net.br [200.220.254.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2344B43E3B for ; Mon, 18 Nov 2002 02:32:47 -0800 (PST) (envelope-from dcs@tcoip.com.br) Received: from tcoip.com.br ([10.0.2.6]) by mail.tcoip.com.br (8.11.6/8.11.6) with ESMTP id gAIAWdV17119 for ; Mon, 18 Nov 2002 08:32:39 -0200 Message-ID: <3DD8C1C5.5020508@tcoip.com.br> Date: Mon, 18 Nov 2002 08:32:37 -0200 From: "Daniel C. Sobral" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.2b) Gecko/20021024 X-Accept-Language: en-us, en, pt-br, ja MIME-Version: 1.0 To: ipfw@freebsd.org Subject: Testing rules Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG You know what I'd like to be able to do? Test what firewall rules would be used by a given packet. Like, for instance, tcp from 10.0.2.6 to 200.220.255.72 setup, what rules would be triggered by that? I suspect that would be rather hard, though. Would it? -- Daniel C. Sobral (8-DCS) Gerencia de Operacoes Divisao de Comunicacao de Dados Coordenacao de Seguranca TCO Fones: 55-61-313-7654/Cel: 55-61-9618-0904 E-mail: Daniel.Capo@tco.net.br Daniel.Sobral@tcoip.com.br dcs@tcoip.com.br Outros: dcs@newsguy.com dcs@freebsd.org capo@notorious.bsdconspiracy.net Good-bye. I am leaving because I am bored. -- George Saunders' dying words To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Nov 18 17:47: 0 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C13637B401 for ; Mon, 18 Nov 2002 17:46:59 -0800 (PST) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 2597243E6E for ; Mon, 18 Nov 2002 17:46:59 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 20766 invoked from network); 19 Nov 2002 01:46:58 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 19 Nov 2002 01:46:58 -0000 Message-ID: <3DD99810.7080000@tenebras.com> Date: Mon, 18 Nov 2002 17:46:56 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Apparent Bug in IPFW2 on 4.7-RELEASE-p2 References: <200211130102.27773.john@jnielsen.net> <20021113003045.A35862@xorpc.icir.org> <3DD7D3CC.50701@tenebras.com> <20021117093955.A17750@xorpc.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG the 1.2.3.4/24{3,45} notation doesn't seem to work. Witness (from ipfw show): 01910 0 0 allow udp from any to 66.92.188.0/24{18,241} dst-port 53 in recv sis0 01920 1 62 allow udp from any to 66.92.188.18 dst-port 53 in recv sis0 01930 3 184 allow udp from any to 66.92.188.241 dst-port 53 in recv sis0 Rule 1910 should have been triggered in the case of these packets, and should never have gotten to rules 1920 or 1930 Has this been reported before, and was I just sleeping? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Nov 18 17:53: 0 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3068C37B401 for ; Mon, 18 Nov 2002 17:52:59 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BA2743E97 for ; Mon, 18 Nov 2002 17:52:58 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id gAJ1qwAh037258; Mon, 18 Nov 2002 17:52:58 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.3/8.12.3/Submit) id gAJ1qw62037257; Mon, 18 Nov 2002 17:52:58 -0800 (PST) (envelope-from rizzo) Date: Mon, 18 Nov 2002 17:52:58 -0800 From: Luigi Rizzo To: Michael Sierchio Cc: ipfw@FreeBSD.ORG Subject: Re: Apparent Bug in IPFW2 on 4.7-RELEASE-p2 Message-ID: <20021118175258.A37219@xorpc.icir.org> References: <200211130102.27773.john@jnielsen.net> <20021113003045.A35862@xorpc.icir.org> <3DD7D3CC.50701@tenebras.com> <20021117093955.A17750@xorpc.icir.org> <3DD99810.7080000@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3DD99810.7080000@tenebras.com>; from kudzu@tenebras.com on Mon, Nov 18, 2002 at 05:46:56PM -0800 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG known and fixed bug -- the kernel was using the wrong address (src instead of dst, and viceversa) in the 1.2.3.4/24{3,45} instructions. Fixed in rev.1.6.2.4 of ip_fw2.c (oct.24) cheers luigi On Mon, Nov 18, 2002 at 05:46:56PM -0800, Michael Sierchio wrote: > > the 1.2.3.4/24{3,45} notation doesn't seem to work. Witness (from ipfw show): > > 01910 0 0 allow udp from any to 66.92.188.0/24{18,241} dst-port 53 in recv sis0 > 01920 1 62 allow udp from any to 66.92.188.18 dst-port 53 in recv sis0 > 01930 3 184 allow udp from any to 66.92.188.241 dst-port 53 in recv sis0 > > > Rule 1910 should have been triggered in the case of these > packets, and should never have gotten to rules 1920 or 1930 > > Has this been reported before, and was I just sleeping? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 19 2:59: 8 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC64537B401 for ; Tue, 19 Nov 2002 02:59:07 -0800 (PST) Received: from fump.kawo2.rwth-aachen.de (fump.kawo2.RWTH-Aachen.DE [134.130.181.148]) by mx1.FreeBSD.org (Postfix) with ESMTP id 505E343E4A for ; Tue, 19 Nov 2002 02:59:06 -0800 (PST) (envelope-from alex@fump.kawo2.rwth-aachen.de) Received: from fump.kawo2.rwth-aachen.de (localhost [127.0.0.1]) by fump.kawo2.rwth-aachen.de (8.12.5/8.12.5) with ESMTP id gAJAx4JA011032 for ; Tue, 19 Nov 2002 11:59:04 +0100 (CET) (envelope-from alex@fump.kawo2.rwth-aachen.de) Received: (from alex@localhost) by fump.kawo2.rwth-aachen.de (8.12.5/8.12.5/Submit) id gAJAx465011031 for freebsd-ipfw@FreeBSD.org; Tue, 19 Nov 2002 11:59:04 +0100 (CET) Date: Tue, 19 Nov 2002 11:59:04 +0100 From: Alexander Langer To: freebsd-ipfw@FreeBSD.org Subject: ipfw2 on SMP Message-ID: <20021119105904.GK4666@fump.kawo2.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-PGP-at: finger alex@big.endian.de X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. User-Agent: Mutt/1.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG HI! Does ipfw2 (box does use DEVICE_POLLING) on -CURRENT benefit from 2 CPUs? We have quite the same incoming / outgoing traffic here, but I don't know the actual design of ipfw2 or the bridging-code, so I wondered if that would benefit from a 2nd CPU, or if the CPUs lock theirselves to the inefficiency. Comments? Stats? Already doing this somewhere? :) Thanks Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 19 5:23: 0 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 328F337B404 for ; Tue, 19 Nov 2002 05:22:59 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id C50F343E77 for ; Tue, 19 Nov 2002 05:22:58 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id gAJDMeAh059813; Tue, 19 Nov 2002 05:22:40 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.3/8.12.3/Submit) id gAJDMeG0059812; Tue, 19 Nov 2002 05:22:40 -0800 (PST) (envelope-from rizzo) Date: Tue, 19 Nov 2002 05:22:40 -0800 From: Luigi Rizzo To: Alexander Langer Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw2 on SMP Message-ID: <20021119052240.B59522@xorpc.icir.org> References: <20021119105904.GK4666@fump.kawo2.rwth-aachen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20021119105904.GK4666@fump.kawo2.rwth-aachen.de>; from alex@big.endian.de on Tue, Nov 19, 2002 at 11:59:04AM +0100 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG all the network stack is still under Giant so the second CPU won't help much in the lower levels of the stack (including ipfw2 and bridging). DEVICE_POLLING being incompatible with SMP is an orthogonal issue. cheers luigi On Tue, Nov 19, 2002 at 11:59:04AM +0100, Alexander Langer wrote: > HI! > > Does ipfw2 (box does use DEVICE_POLLING) on -CURRENT benefit from 2 CPUs? > > We have quite the same incoming / outgoing traffic here, but I don't > know the actual design of ipfw2 or the bridging-code, so I > wondered if that would benefit from a 2nd CPU, or if the CPUs lock > theirselves to the inefficiency. > > Comments? Stats? Already doing this somewhere? :) > > Thanks > > Alex > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 19 8:37:12 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F25B637B401 for ; Tue, 19 Nov 2002 08:37:10 -0800 (PST) Received: from accord.grasslake.net (accord.grasslake.net [209.98.56.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2145543E42 for ; Tue, 19 Nov 2002 08:37:10 -0800 (PST) (envelope-from swb@grasslake.net) Received: from swbgx150 (honda.grasslake.net [192.168.1.1]) by accord.grasslake.net (8.12.6/8.12.6) with SMTP id gAJGQn2U004189 for ; Tue, 19 Nov 2002 10:26:50 -0600 (CST) (envelope-from swb@grasslake.net) Message-ID: <001a01c28fea$0200c7c0$62229fc0@ad.campbellmithun.com> From: "Shawn Barnhart" To: Subject: Stateful rules Date: Tue, 19 Nov 2002 10:37:53 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I've recently switched over to using the stateful capabilitites of ipfw (4.7-STABLE). I have rules like: check state allow tcp from my_host to any keep-state allow udp from my_host to any keep-state .... deny log ip from any to any In that order. What I've noticed is that during web browsing (and only web browsing), I see a small number of packets hitting the deny rule at the end, as if the dynamic rule had either expired or didn't apply. I didn't notice it impacting the actual web browsing I was doing (ie, no misdrawn pages or other glitches). I haven't seen any other types of packets blocked other than web traffic; ssh, dns, even udp-intensive games seem OK. Any potential explanations? I thought there might be some low sysctl variables, but net.inet.ip.fw.dyn_count appears to be well below net.inet.ip.fw.dyn_max. One other thing I'm curious about is net.inet.ip.fw.dyn_buckets -- what does this have to do with net.inet.ip.fw.dyn_max or dynamic rule processing? I can't quite gleam the relationship it has with net.inet.ip.fw.dyn_max, if there is one, or when/how/if it should be adjusted. -Shawn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 19 8:56:20 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 75D4137B401 for ; Tue, 19 Nov 2002 08:56:18 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25D5C43E3B for ; Tue, 19 Nov 2002 08:56:18 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id gAJGuCAh067954; Tue, 19 Nov 2002 08:56:12 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.3/8.12.3/Submit) id gAJGuCi8067953; Tue, 19 Nov 2002 08:56:12 -0800 (PST) (envelope-from rizzo) Date: Tue, 19 Nov 2002 08:56:12 -0800 From: Luigi Rizzo To: Shawn Barnhart Cc: ipfw@FreeBSD.ORG Subject: Re: Stateful rules Message-ID: <20021119085612.A67523@xorpc.icir.org> References: <001a01c28fea$0200c7c0$62229fc0@ad.campbellmithun.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <001a01c28fea$0200c7c0$62229fc0@ad.campbellmithun.com>; from swb@grasslake.net on Tue, Nov 19, 2002 at 10:37:53AM -0600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG those rules do not make a lot of sense. perhaps you should post your entire ruleset if you want us to understand what is going on. cheers luigi On Tue, Nov 19, 2002 at 10:37:53AM -0600, Shawn Barnhart wrote: > I've recently switched over to using the stateful capabilitites of ipfw > (4.7-STABLE). > > I have rules like: > > check state > allow tcp from my_host to any keep-state > allow udp from my_host to any keep-state > .... > deny log ip from any to any > > In that order. > > What I've noticed is that during web browsing (and only web browsing), I see > a small number of packets hitting the deny rule at the end, as if the > dynamic rule had either expired or didn't apply. I didn't notice it > impacting the actual web browsing I was doing (ie, no misdrawn pages or > other glitches). > > I haven't seen any other types of packets blocked other than web traffic; > ssh, dns, even udp-intensive games seem OK. > > Any potential explanations? > > I thought there might be some low sysctl variables, but > net.inet.ip.fw.dyn_count appears to be well below net.inet.ip.fw.dyn_max. > > One other thing I'm curious about is net.inet.ip.fw.dyn_buckets -- what does > this have to do with net.inet.ip.fw.dyn_max or dynamic rule processing? I > can't quite gleam the relationship it has with net.inet.ip.fw.dyn_max, if > there is one, or when/how/if it should be adjusted. > > -Shawn > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 19 9:28:29 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28C8837B401 for ; Tue, 19 Nov 2002 09:28:27 -0800 (PST) Received: from accord.grasslake.net (accord.grasslake.net [209.98.56.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D49943E4A for ; Tue, 19 Nov 2002 09:28:26 -0800 (PST) (envelope-from swb@grasslake.net) Received: from swbgx150 (honda.grasslake.net [192.168.1.1]) by accord.grasslake.net (8.12.6/8.12.6) with SMTP id gAJHI52U004305; Tue, 19 Nov 2002 11:18:05 -0600 (CST) (envelope-from swb@grasslake.net) Message-ID: <003701c28ff1$2bd513b0$62229fc0@ad.campbellmithun.com> From: "Shawn Barnhart" To: "Luigi Rizzo" Cc: References: <001a01c28fea$0200c7c0$62229fc0@ad.campbellmithun.com> <20021119085612.A67523@xorpc.icir.org> Subject: Re: Stateful rules Date: Tue, 19 Nov 2002 11:29:10 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ----- Original Message ----- From: "Luigi Rizzo" To: "Shawn Barnhart" Cc: Sent: Tuesday, November 19, 2002 10:56 Subject: Re: Stateful rules > those rules do not make a lot of sense. > perhaps you should post your entire ruleset if you want us > to understand what is going on. ----- Original Message ----- From: "Luigi Rizzo" > those rules do not make a lot of sense. > perhaps you should post your entire ruleset if you want us > to understand what is going on. > No more confusing than: ipfw add check-state ipfw add allow tcp from my-subnet to any setup ipfw add deny tcp from any to any ...which is a direct cut/paste from the ipfw man page. The full ruleset on this specific machine isn't much more complicated: 00050 divert 8668 ip from any to any via xl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 check-state 00500 allow tcp from 10.11.12.16/29 to any keep-state 00510 allow tcp from 192.168.1.0/24 to any keep-state via xl1 00600 allow udp from 10.11.12.16/29 to any keep-state 00610 allow udp from 192.168.1.0/24 to any keep-state via xl1 02000 allow log icmp from any to any 03010 allow tcp from any to 10.11.12.20 80 03020 allow tcp from any to 10.11.12.20 25 03030 allow udp from any to 10.11.12.20 53 64000 deny log ip from any to any When web browsing, some return packets hit the deny rule at the end, but with no apparent impact on the web client, even though they should have matching dynamic rules, because they're passed out initially with a keep-state rule. UDP applications (DNS, games) don't ever generate apparently failed or missing dynamic rules, even though the games generate a huge amount of udp traffic. I'm speculating that the packets are return web data because they appeared during active web browsing, had a source port of 80 and a high-numbered destination port. This particular machine has NAT enabled, but I've seen similar results on a machine with no NAT enabled. I suspected I might have been overrunning the net.inet.fw.dyn_max values, but monitoring showed I wasn't. I was also curious about the role played by net.inet.fw.dyn_buckets relative to dyn_max since the manpage isn't clear to me about this. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Nov 19 10:43: 2 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE79537B40F for ; Tue, 19 Nov 2002 10:42:59 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C99243E6E for ; Tue, 19 Nov 2002 10:42:59 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.3/8.12.3) with ESMTP id gAJIgxAh068635; Tue, 19 Nov 2002 10:42:59 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.3/8.12.3/Submit) id gAJIgxVi068634; Tue, 19 Nov 2002 10:42:59 -0800 (PST) (envelope-from rizzo) Date: Tue, 19 Nov 2002 10:42:59 -0800 From: Luigi Rizzo To: Shawn Barnhart Cc: ipfw@FreeBSD.ORG Subject: Re: Stateful rules Message-ID: <20021119104259.B68560@xorpc.icir.org> References: <001a01c28fea$0200c7c0$62229fc0@ad.campbellmithun.com> <20021119085612.A67523@xorpc.icir.org> <003701c28ff1$2bd513b0$62229fc0@ad.campbellmithun.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <003701c28ff1$2bd513b0$62229fc0@ad.campbellmithun.com>; from swb@grasslake.net on Tue, Nov 19, 2002 at 11:29:10AM -0600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG just what to you want to achieve with stateful rules, given that you have already natd ? you are trying to write a configuration that is totally non-trivial because the firewall code will see the packet multiple times, with both the original and the nat'ed address. And finally you are forgetting the 'setup' option from the tcp keep-state rules, which does not make a difference with legitimate traffic, but leaves the firewall open to traffic that you don't want. Re. the deny rule, it might well be that the packets you see matching it are retransmission of the FIN packets from the server, which arrive once the dynamic rule has already expired and so do not match rules 400, 500 and 510 cheers luigi On Tue, Nov 19, 2002 at 11:29:10AM -0600, Shawn Barnhart wrote: > > ----- Original Message ----- > From: "Luigi Rizzo" > To: "Shawn Barnhart" > Cc: > Sent: Tuesday, November 19, 2002 10:56 > Subject: Re: Stateful rules > > > > those rules do not make a lot of sense. > > perhaps you should post your entire ruleset if you want us > > to understand what is going on. > > ----- Original Message ----- > From: "Luigi Rizzo" > > > > those rules do not make a lot of sense. > > perhaps you should post your entire ruleset if you want us > > to understand what is going on. > > > > No more confusing than: > > ipfw add check-state > ipfw add allow tcp from my-subnet to any setup > ipfw add deny tcp from any to any > > ...which is a direct cut/paste from the ipfw man page. > > The full ruleset on this specific machine isn't much more complicated: > > 00050 divert 8668 ip from any to any via xl0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 check-state > 00500 allow tcp from 10.11.12.16/29 to any keep-state > 00510 allow tcp from 192.168.1.0/24 to any keep-state via xl1 > 00600 allow udp from 10.11.12.16/29 to any keep-state > 00610 allow udp from 192.168.1.0/24 to any keep-state via xl1 > 02000 allow log icmp from any to any > 03010 allow tcp from any to 10.11.12.20 80 > 03020 allow tcp from any to 10.11.12.20 25 > 03030 allow udp from any to 10.11.12.20 53 > 64000 deny log ip from any to any > > When web browsing, some return packets hit the deny rule at the end, but > with no apparent impact on the web client, even though they should have > matching dynamic rules, because they're passed out initially with a > keep-state rule. UDP applications (DNS, games) don't ever generate > apparently failed or missing dynamic rules, even though the games generate a > huge amount of udp traffic. > > I'm speculating that the packets are return web data because they appeared > during active web browsing, had a source port of 80 and a high-numbered > destination port. > > This particular machine has NAT enabled, but I've seen similar results on a > machine with no NAT enabled. > > I suspected I might have been overrunning the net.inet.fw.dyn_max values, > but monitoring showed I wasn't. I was also curious about the role played by > net.inet.fw.dyn_buckets relative to dyn_max since the manpage isn't clear to > me about this. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Nov 20 6:59:34 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D637837B406 for ; Wed, 20 Nov 2002 06:59:33 -0800 (PST) Received: from veldy.net (veldy-host33.dsl.visi.com [209.98.200.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E21343EC2 for ; Wed, 20 Nov 2002 06:59:28 -0800 (PST) (envelope-from veldy@veldy.net) Received: from TVELDHOUSE2K (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id 76C1BFF53 for ; Wed, 20 Nov 2002 08:59:27 -0600 (CST) Message-ID: <017501c290a5$6c2a24a0$c00c460a@pro.tl.thomcorp.net> From: "Thomas T. Veldhouse" To: Subject: IPFW2? Date: Wed, 20 Nov 2002 08:59:27 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I am looking at using IPFW2 to firewall my [natd] network via my 4.7-RELEASE-p2 machine. Are there any gotcha's I need to keep an eye out for? Does anybody have a nice sample IPFW2 firewall script available, one that utilizes any of the new features? Thanks in advance, Tom Veldhouse To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message