From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 13 06:11:31 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1585037B407; Sun, 13 Jul 2003 06:11:31 -0700 (PDT) Received: from serio.al.rim.or.jp (serio.al.rim.or.jp [202.247.191.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id BAD4D43FA3; Sun, 13 Jul 2003 06:11:29 -0700 (PDT) (envelope-from matoba@st.rim.or.jp) Received: from mail6.rim.or.jp by serio.al.rim.or.jp (3.7W/HMX-13) id WAA24238; Sun, 13 Jul 2003 22:11:28 +0900 (JST) Received: from localhost (ntkngw076167.kngw.nt.adsl.ppp.infoweb.ne.jp [220.145.116.167]) by mail6.rim.or.jp (8.9.3/3.7W) id WAA24211; Sun, 13 Jul 2003 22:11:26 +0900 (JST) Date: Sun, 13 Jul 2003 22:11:15 +0900 (JST) Message-Id: <20030713.221115.730550024.matoba@st.rim.or.jp> To: freebsd-current@freebsd.org From: MATOBA Hirozumi In-Reply-To: <49176.192.168.1.10.1058098656.squirrel@webmail.xtaz.co.uk> <20030713.024127.730548457.matoba@st.rim.or.jp> References: <49176.192.168.1.10.1058098656.squirrel@webmail.xtaz.co.uk> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW and/or rc rule parsing not working since today's cvsup X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2003 13:11:31 -0000 On Sun, 13 Jul 2003 13:17:36 +0100 (BST), "Matt" wrote: | The problem I have is this. In rc.conf I have the following: | | firewall_enable="YES" | firewall_script="/etc/rc.firewall" | firewall_type="/etc/ipfw.conf" | | And in /etc/ipfw.conf I have sets of rules one line at a time like: | | add 00010 divert natd all from any to any via xl0 | add 00120 allow tcp from any to any 80 via xl0 | | etc. | | This has always worked for me ever since I first started using ipfw on | fbsd 4.1 and has always worked on current until today's cvsup. Now though | no rules get loaded. | | If I try what I have always done in the past which is ipfw -q flush && | ipfw /etc/ipfw.conf then it tells me: | | usage: ipfw [options] | do "ipfw -h" or see ipfw manpage for details If your "/etc/ipfw.conf" has blank line(s), then you maybe met the same situation as me. The mail that I posted to freebsd-ipfw@freebsd.org is: There are 3 cases for calling show_usage() in ipfw2.c. My case is caught by "if (l == 0)" in ipfw_main(). The other cases are caught by "if (ac == 0)" and by "while ((ch = getopt(ac, av, "acdefhnNqs:STtv")) != -1) switch (ch) { ... default:". -- matoba@st.rim.or.jp From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 13 19:36:11 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97EEF37B428 for ; Sun, 13 Jul 2003 19:36:07 -0700 (PDT) Received: from dasher.noir.net (dasher.noir.net [169.207.147.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AAF843F85 for ; Sun, 13 Jul 2003 19:36:06 -0700 (PDT) (envelope-from gnarf@gnarf.net) Received: from gnarf.net (router.ether8.net [169.207.147.88]) by dasher.noir.net (8.9.3/8.9.3) with ESMTP id VAA04977 for ; Sun, 13 Jul 2003 21:36:00 -0500 Date: Sun, 13 Jul 2003 21:36:06 -0500 Mime-Version: 1.0 (Apple Message framework v552) Content-Type: text/plain; charset=US-ASCII; format=flowed From: Corey Frang To: freebsd-ipfw@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: X-Mailer: Apple Mail (2.552) Subject: Using IPFW as a traffic limiting solution? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 02:36:11 -0000 I have looked into dummynet, and it seems to be what I want to do, however I am going a bit out of my league with this one. Here is a description of the system I want to set up: A) I want to be able to INSURE bandwidth without limiting it in dead times. In other words, 10.1.0.0/16 should be able to always have 250kbit/sec available, but if noone else is using bandwidth, allow it to go as high as possible. B) I want to be able to mark some clients as always limited. C) I want to be able to set up multiple "classes" (right now using 10.1, 10.2, 10.3, 10.4, etc) with their own insurance on bandwidth. Is dummynet the thing for this? Anyone have any suggestions where to look? From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 14 01:52:14 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69E0337B401 for ; Mon, 14 Jul 2003 01:52:14 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6FE543F85 for ; Mon, 14 Jul 2003 01:52:13 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h6E8qDkN025587; Mon, 14 Jul 2003 01:52:13 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h6E8qCt3025586; Mon, 14 Jul 2003 01:52:12 -0700 (PDT) (envelope-from rizzo) Date: Mon, 14 Jul 2003 01:52:12 -0700 From: Luigi Rizzo To: MATOBA Hirozumi Message-ID: <20030714015211.B23588@xorpc.icir.org> References: <20030712002222.A78447@xorpc.icir.org> <20030713.024127.730548457.matoba@st.rim.or.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030713.024127.730548457.matoba@st.rim.or.jp>; from matoba@st.rim.or.jp on Sun, Jul 13, 2003 at 02:41:27AM +0900 cc: freebsd-ipfw@freebsd.org Subject: Re: [luigi@FreeBSD.org: cvs commit: src/sbin/ipfw ipfw2.c] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 08:52:14 -0000 just committed a fix. Thanks for your patience. cheers luigi On Sun, Jul 13, 2003 at 02:41:27AM +0900, MATOBA Hirozumi wrote: > On Sat, 12 Jul 2003 00:22:22 -0700, Luigi Rizzo wrote: ... > So some lines that are passed to ipfw_main() may be empty. > But, in ipfw_main() of new ipfw2.c line 3609 (v 1.33 2003/07/12 08:35:25), > > if (l == 0) /* empty string! */ > show_usage(); > > So when I used new ipfw, I got error below. > > command is /usr/bin/cpp > usage: ipfw [options] > do "ipfw -h" or see ipfw manpage for details From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 14 11:01:46 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A24437B404 for ; Mon, 14 Jul 2003 11:01:46 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E420543FDD for ; Mon, 14 Jul 2003 11:01:38 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h6EI1cUp084053 for ; Mon, 14 Jul 2003 11:01:38 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h6EI1cek084047 for ipfw@freebsd.org; Mon, 14 Jul 2003 11:01:38 -0700 (PDT) Date: Mon, 14 Jul 2003 11:01:38 -0700 (PDT) Message-Id: <200307141801.h6EI1cek084047@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 18:01:46 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/01/26] kern/47529 ipfw natd/ipfw lose TCP packets for firewalled o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 2 problems total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r 8 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 14 14:35:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 832D337B401 for ; Mon, 14 Jul 2003 14:35:52 -0700 (PDT) Received: from parati.mdbrasil.com.br (parati.mdbrasil.com.br [200.210.70.4]) by mx1.FreeBSD.org (Postfix) with SMTP id 9A03E43FA3 for ; Mon, 14 Jul 2003 14:35:50 -0700 (PDT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 20648 invoked by uid 85); 14 Jul 2003 21:37:04 -0000 Received: from eksffa@freebsdbrasil.com.br by parati.mdbrasil.com.br by uid 82 with qmail-scanner-1.16 ( Clear:. Processed in 0.053822 secs); 14 Jul 2003 21:37:04 -0000 Received: from unknown (HELO freebsdbrasil.com.br) (200.210.42.5) by parati.mdbrasil.com.br with SMTP; 14 Jul 2003 18:37:04 -0300 Message-ID: <3F132237.4010604@freebsdbrasil.com.br> Date: Mon, 14 Jul 2003 18:35:51 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.2b) Gecko/20030104 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Diego Linke - GAMK Content-Type: multipart/mixed; boundary="------------040503050305070402090705" cc: freebsd-ipfw@freebsd.org Subject: Re: I have four ideia for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 21:35:52 -0000 This is a multi-part message in MIME format. --------------040503050305070402090705 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit > >The logs with more information, as ( tcpflags (syn,ack,fin,rst...), ipoptions, iplen, iptos, ipttl...) > >This could more be called by one keyword (ex: logfull) in the IPFW. > >Sample: > >ipfw add deny logfull ... > > > >Or an sysctl variable :-) > > > I have ancient patches on my FreeBSD homepage for that. Maybe someday > I'll update them or even commit them. Extended logging was really a desired feature Diego Linke and me used to talk about; CJC's patches couldnt apply on recent -current but reading it motivated and inspired us doing some changes. The following patches add an "extended" keyword to ipfw2 logging statements; more detailed logging seemed to be more interesting for some rules than for others, so just enabling or not, via sysctl sounded too mandatory. A good idea was to allow usual logging or detailed ones to be a per-rule definition; Expected syntax adds "extended" keyword between log and logamount, say, "... log extended logamount 2000 tcp from...", where extended stated rules like: 00400 39 1911 allow log extended logamount 800 tcp from me to 200.210.70.0/24 out xmit wi0 setup // extended log ging to wired network keep-state 00450 368 199919 allow log extended ip from { not me or 200.230.121.0/24 or 200.210.42.0/24 } to me in recv wi0 //lets analise incoming trash from wireless to me 00470 0 0 allow log extended logamount 20000 ip from any to any via ath0 // ext. log. experiental multimode unwired net 00500 1000 120379 allow ip from any to any 65535 0 0 deny ip from any to any Will produce logging as: Jul 14 17:55:36 redfield-claire kernel: ipfw: 450 Accept UDP 128.32.136.12:53 200.210.42.5:49476 in via wi0 (ttl 50, id 59167, len 189) Jul 14 17:55:36 redfield-claire kernel: ipfw: 400 Accept TCP 200.210.42.5:49578 200.210.70.4:25 out via wi0 [iptos lowdelay (0x10)] [ipoptions lsrr,rr (0x05) ttl 64, id 0, len 60] [tcpflags syn (0x02) tcpoptions window,windowts,window,windowtstimestamp (0x0a)] ack number 0 seq number 1506862975 Jul 14 17:55:36 redfield-claire kernel: ipfw: 400 Accept TCP 200.210.70.4:25 200.210.42.5:49578 in via wi0 [iptos (0x00)] [ipoptions lsrr,rr (0x05) ttl 63, id 47927, len 44] [tcpflags syn,ack (0x12) tcpoptions window,windowsack (0x06)] ack number 1523640191 seq number 3568599789 -- Atenciosamente, Patrick Tracanelli patrick @ freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!" --------------040503050305070402090705 Content-Type: text/plain; name="ipfw2.c.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw2.c.patch" --- /usr/src/sbin/ipfw/ipfw2.c Mon Jul 14 15:57:41 2003 +++ /usr/local/freebsdbrasil/cvs_root//usr/src/sbin/ipfw/ipfw2.c Mon Jul 14 17:08:48 2003 @@ -15,11 +15,11 @@ * * This software is provided ``AS IS'' without any warranties of any kind. * * NEW command line interface for IP firewall facility * - * $FreeBSD: /repoman/r/ncvs/src/sbin/ipfw/ipfw2.c,v 1.35 2003/07/14 18:57:41 luigi Exp $ + * $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sbin/ipfw/ipfw2.c,v 1.35 2003/07/14 18:57:41 luigi Exp $ */ #include #include #include @@ -1012,17 +1012,19 @@ default: printf("** unrecognized action %d len %d", cmd->opcode, cmd->len); } } - if (logptr) { - if (logptr->max_log > 0) - printf(" log logamount %d", logptr->max_log); - else - printf(" log"); - } + /* Extended logging */ + if (logptr) { + if (logptr->max_log > 0) + printf(" log%s logamount %d", logptr->extended == 1 ? " extended" : " ", logptr->max_log); + else + printf(" log%s",logptr->extended == 1 ? " extended" : ""); + } + /* * then print the body. */ if (rule->_pad & 1) { /* empty rules before options */ if (!do_compact) @@ -2880,11 +2882,11 @@ errx(EX_DATAERR, "invalid action %s\n", av[-1]); } action = next_cmd(action); /* - * [log [logamount N]] -- log, optional + * [log [extended] [logamount N]] -- log, optional * * If exists, it goes first in the cmdbuf, but then it is * skipped in the copy section to the end of the buffer. */ if (ac && !strncmp(*av, "log", strlen(*av))) { @@ -2892,10 +2894,19 @@ int l; cmd->len = F_INSN_SIZE(ipfw_insn_log); cmd->opcode = O_LOG; av++; ac--; + + /* Extended logging */ + if (ac && !strncmp(*av, "extended", strlen(*av))) { + c->extended = 1; + ac--; av++; + } + + + if (ac && !strncmp(*av, "logamount", strlen(*av))) { ac--; av++; NEED1("logamount requires argument"); l = atoi(*av); if (l < 0) --------------040503050305070402090705 Content-Type: text/plain; name="ip_fw.h.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ip_fw.h.patch" --- /usr/src/sys/netinet/ip_fw.h Fri Jul 11 07:02:08 2003 +++ /usr/local/freebsdbrasil/cvs_root/usr/src/sys/netinet/ip_fw.h Mon Jul 14 16:56:43 2003 @@ -261,11 +261,11 @@ */ typedef struct _ipfw_insn_log { ipfw_insn o; u_int32_t max_log; /* how many do we log -- 0 = all */ u_int32_t log_left; /* how many left to log */ + u_int32_t extended; /* Extended logging */ } ipfw_insn_log; /* * Here we have the structure representing an ipfw rule. * --------------040503050305070402090705 Content-Type: text/plain; name="ip_fw2.c.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ip_fw2.c.patch" --- /usr/src/sys/netinet/ip_fw2.c Sat Jul 12 02:54:17 2003 +++ /usr/local/freebsdbrasil/cvs_root/usr/src/sys/netinet/ip_fw2.c Mon Jul 14 16:55:45 2003 @@ -20,15 +20,21 @@ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: /repoman/r/ncvs/src/sys/netinet/ip_fw2.c,v 1.36 2003/07/12 05:54:17 luigi Exp $ + * $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netinet/ip_fw2.c,v 1.36 2003/07/12 05:54:17 luigi Exp $ */ -#define DEB(x) -#define DDB(x) x +#define DEB(x) +#define DDB(x) x + +/* Extended logging */ +#define GFLAGS_LEN 35 +#define GIOPTS_LEN 28 +#define GITOS_LEN 28 +#define GTOPTS_LEN 55 /* * Implement IP packet firewall (new version) */ @@ -111,10 +117,61 @@ MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's"); static int fw_debug = 1; static int autoinc_step = 100; /* bounded to 1..1000 in add_rule() */ +/* Extended logging */ + +struct _s_x { + char *s; + int x; +}; + +static struct _s_x f_tcpflags[] = { + { "syn", TH_SYN }, + { "fin", TH_FIN }, + { "ack", TH_ACK }, + { "psh", TH_PUSH }, + { "rst", TH_RST }, + { "urg", TH_URG }, + { "tcp flag", 0 }, + { NULL, 0 } +}; + + static struct _s_x f_ipopts[] = { + { "ssrr", IP_FW_IPOPT_SSRR}, + { "lsrr", IP_FW_IPOPT_LSRR}, + { "rr", IP_FW_IPOPT_RR}, + { "ts", IP_FW_IPOPT_TS}, + { "ip option", 0 }, + { NULL, 0 } +}; + +static struct _s_x f_iptos[] = { + { "lowdelay", IPTOS_LOWDELAY}, + { "throughput", IPTOS_THROUGHPUT}, + { "reliability", IPTOS_RELIABILITY}, + { "mincost", IPTOS_MINCOST}, + { "congestion", IPTOS_CE}, + { "ecntransport", IPTOS_ECT}, + { "ip tos option", 0}, + { NULL, 0 } +}; + +static struct _s_x f_tcpopts[] = { + { "mss", IP_FW_TCPOPT_MSS }, + { "maxseg", IP_FW_TCPOPT_MSS }, + { "window", IP_FW_TCPOPT_WINDOW }, + { "sack", IP_FW_TCPOPT_SACK }, + { "ts", IP_FW_TCPOPT_TS }, + { "timestamp", IP_FW_TCPOPT_TS }, + { "cc", IP_FW_TCPOPT_CC }, + { "tcp option", 0 }, + { NULL, 0 } +}; + + #ifdef SYSCTL_NODE SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW | CTLFLAG_SECURE3, &fw_enable, 0, "Enable ipfw"); @@ -455,17 +512,18 @@ /* * We enter here when we have a rule with O_LOG. * XXX this function alone takes about 2Kbytes of code! */ + static void ipfw_log(struct ip_fw *f, u_int hlen, struct ether_header *eh, struct mbuf *m, struct ifnet *oif) { char *action; - int limit_reached = 0; - char action2[40], proto[48], fragment[28]; + int limit_reached = 0, extended = 0; + char action2[40], proto[48], fragment[28], ipvals[200]; fragment[0] = '\0'; proto[0] = '\0'; if (f == NULL) { /* bogus pkt */ @@ -486,10 +544,13 @@ limit_reached = l->max_log; cmd += F_LEN(cmd); /* point to first action */ if (cmd->opcode == O_PROB) cmd += F_LEN(cmd); + /* Extended logging rule */ + extended = l->extended; + action = action2; switch (cmd->opcode) { case O_DENY: action = "Deny"; break; @@ -571,11 +632,11 @@ switch (ip->ip_p) { case IPPROTO_TCP: len = snprintf(SNPARGS(proto, 0), "TCP %s", inet_ntoa(ip->ip_src)); if (offset == 0) - snprintf(SNPARGS(proto, len), ":%d %s:%d", + len += snprintf(SNPARGS(proto, len), ":%d %s:%d", ntohs(tcp->th_sport), inet_ntoa(ip->ip_dst), ntohs(tcp->th_dport)); else snprintf(SNPARGS(proto, len), " %s", @@ -619,24 +680,78 @@ if (ip_off & (IP_MF | IP_OFFMASK)) snprintf(SNPARGS(fragment, 0), " (frag %d:%d@%d%s)", ntohs(ip->ip_id), ip_len - (ip->ip_hl << 2), offset << 3, (ip_off & IP_MF) ? "+" : ""); + + if (extended == 1) { + int i; + char g_flags[GFLAGS_LEN]="", g_ipopts[GIOPTS_LEN]="", g_iptos[GITOS_LEN]="", g_tcpopts[GTOPTS_LEN]="", comma[1]=""; + + u_char set = tcp->th_flags & 0xff; + u_char setopt = ip->ip_hl & 0xff; + u_char settos = ip->ip_tos & 0xff; + u_char settcpopt = tcp->th_off & 0xff; + + if (ip->ip_p == 6) { + for (i=0; f_tcpflags[i].x != 0; i++) + { + if (set & f_tcpflags[i].x) + { + snprintf(g_flags, GFLAGS_LEN-1, "%s%s%s", g_flags, comma, f_tcpflags[i].s); + comma[0] = ','; + } + } + comma[0] = NULL; /* reset comma */ + for (i=0; f_ipopts[i].x != 0; i++) + { + if (setopt & f_ipopts[i].x) + { + snprintf(g_ipopts, GIOPTS_LEN-1, "%s%s%s", g_ipopts, comma, f_ipopts[i].s); + comma[0] = ','; + } + } + comma[0] = NULL; /* once again */ + for (i=0; f_iptos[i].x != 0; i++) + { + if (settos & f_iptos[i].x) + { + snprintf(g_iptos, GITOS_LEN-1, "%s%s%s", g_iptos, comma, f_iptos[i].s); + comma[0] = ','; + } + } + comma[0] = NULL; + for (i=0; f_tcpopts[i].x != 0; i++) + { + if (settcpopt & f_tcpopts[i].x) + { + snprintf(g_tcpopts, GTOPTS_LEN-1, "%s%s%s", g_tcpopts, comma, f_tcpopts[i].s); + comma[0] = ','; + } + } + snprintf(SNPARGS(ipvals, 0), " [iptos %s (0x%02x)] [ipoptions %s (0x%02x) ttl %u, id %u, len %u] [tcpflags %s (0x%02x) tcpoptions %s (0x%02x)] ack number %u seq number %u", + g_iptos, ip->ip_tos, g_ipopts, ip->ip_hl, ip->ip_ttl, ntohs(ip->ip_id), ip_len, + g_flags, tcp->th_flags, g_tcpopts, tcp->th_off, tcp->th_ack, tcp->th_seq); + } else { + snprintf(SNPARGS(ipvals, 0), " (ttl %u, id %u, len %u)", ip->ip_ttl, ntohs(ip->ip_id), ip_len); + } + } else + ipvals[0] = '\0'; } if (oif || m->m_pkthdr.rcvif) log(LOG_SECURITY | LOG_INFO, - "ipfw: %d %s %s %s via %s%d%s\n", + "ipfw: %d %s %s %s via %s%d%s%s\n", f ? f->rulenum : -1, action, proto, oif ? "out" : "in", oif ? oif->if_name : m->m_pkthdr.rcvif->if_name, oif ? oif->if_unit : m->m_pkthdr.rcvif->if_unit, - fragment); + fragment, ipvals); else log(LOG_SECURITY | LOG_INFO, - "ipfw: %d %s %s [no if info]%s\n", + "ipfw: %d %s %s [no if info]%s%s\n", f ? f->rulenum : -1, - action, proto, fragment); + action, proto, fragment, ipvals); if (limit_reached) log(LOG_SECURITY | LOG_NOTICE, "ipfw: limit %d reached on entry %d\n", limit_reached, f ? f->rulenum : -1); } --------------040503050305070402090705-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 14 15:17:41 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7554237B401 for ; Mon, 14 Jul 2003 15:17:41 -0700 (PDT) Received: from parati.mdbrasil.com.br (parati.mdbrasil.com.br [200.210.70.4]) by mx1.FreeBSD.org (Postfix) with SMTP id 07B4643F3F for ; Mon, 14 Jul 2003 15:17:40 -0700 (PDT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 38647 invoked by uid 85); 14 Jul 2003 22:18:53 -0000 Received: from eksffa@freebsdbrasil.com.br by parati.mdbrasil.com.br by uid 82 with qmail-scanner-1.16 ( Clear:. Processed in 0.021882 secs); 14 Jul 2003 22:18:53 -0000 Received: from unknown (HELO freebsdbrasil.com.br) (200.210.42.5) by parati.mdbrasil.com.br with SMTP; 14 Jul 2003 19:18:53 -0300 Message-ID: <3F132C01.4010306@freebsdbrasil.com.br> Date: Mon, 14 Jul 2003 19:17:37 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.2b) Gecko/20030104 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20030712002222.A78447@xorpc.icir.org> In-Reply-To: <20030712002222.A78447@xorpc.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [luigi@FreeBSD.org: cvs commit: src/sbin/ipfw ipfw2.c] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 22:17:41 -0000 > > * implement comments in ipfw commands. These are implemented in the > kernel as O_NOP commands (which always match) whose body contains > the comment string. In userland, a comment is a C++-style comment > appended to the rule: > > ipfw add allow ip from me to any // i can talk to everybody > > cheers > luigi Got a funny behaviour here; keep-state option is displayed after comment, see: ipfw 200 add count tcp from any to any out xmit ath0 setup keep-state // comment 00200 count tcp from any to any out xmit ath0 setup // comment keep-state ipfw sh 200 00200 47 5537 count tcp from any to any out xmit ath0 setup // comment keep-state But still works: ## Dynamic rules (1): 00200 10 472 (0s) STATE tcp 200.210.42.5 49653 <-> 200.210.70.4 25 Just a display misbehaviour; -- Atenciosamente, Patrick Tracanelli patrick @ freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!" From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 14 15:52:14 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0A2E37B41E for ; Mon, 14 Jul 2003 15:52:13 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEFA043FA3 for ; Mon, 14 Jul 2003 15:52:12 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h6EMqCkN038323; Mon, 14 Jul 2003 15:52:12 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h6EMqCKs038322; Mon, 14 Jul 2003 15:52:12 -0700 (PDT) (envelope-from rizzo) Date: Mon, 14 Jul 2003 15:52:12 -0700 From: Luigi Rizzo To: Patrick Tracanelli Message-ID: <20030714155212.A38304@xorpc.icir.org> References: <20030712002222.A78447@xorpc.icir.org> <3F132C01.4010306@freebsdbrasil.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3F132C01.4010306@freebsdbrasil.com.br>; from eksffa@freebsdbrasil.com.br on Mon, Jul 14, 2003 at 07:17:37PM -0300 cc: freebsd-ipfw@freebsd.org Subject: Re: [luigi@FreeBSD.org: cvs commit: src/sbin/ipfw ipfw2.c] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 22:52:15 -0000 On Mon, Jul 14, 2003 at 07:17:37PM -0300, Patrick Tracanelli wrote: ... > Got a funny behaviour here; keep-state option is displayed after > comment, see: ... > But still works: > Just a display misbehaviour; you are right, thanks for pointing out cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 14 15:55:44 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0711537B401 for ; Mon, 14 Jul 2003 15:55:44 -0700 (PDT) Received: from goliath.cnchost.com (goliath.cnchost.com [207.155.252.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF5B643F75 for ; Mon, 14 Jul 2003 15:55:40 -0700 (PDT) (envelope-from sahafeez@edgefocus.com) Received: from edgefocus.com ([12.106.69.222]) by goliath.cnchost.com id SAA03022; Mon, 14 Jul 2003 18:55:40 -0400 (EDT) [ConcentricHost SMTP Relay 1.15] Errors-To: Message-ID: <3F1334EB.4050506@edgefocus.com> Date: Mon, 14 Jul 2003 15:55:39 -0700 From: Sean Hafeez User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <200307092343.JAA04684@lightning.itga.com.au> In-Reply-To: <200307092343.JAA04684@lightning.itga.com.au> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: loose udp routing? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 22:55:44 -0000 i have some users asking about this for gaming. seems to be a hack. i have my network wide open in the rules. cannot seem to find and thing about this in freebsd -just a few questons in openbsd and a patch for linux. anyone know anything? From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 14 16:17:25 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7B9937B401 for ; Mon, 14 Jul 2003 16:17:25 -0700 (PDT) Received: from mail.sandvine.com (sandvine.com [199.243.201.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3400743FA3 for ; Mon, 14 Jul 2003 16:17:25 -0700 (PDT) (envelope-from don@sandvine.com) Received: by mail.sandvine.com with Internet Mail Service (5.5.2653.19) id <346X8TG0>; Mon, 14 Jul 2003 19:17:23 -0400 Message-ID: From: Don Bowman To: 'Sean Hafeez' , freebsd-ipfw@freebsd.org Date: Mon, 14 Jul 2003 19:17:22 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Subject: RE: loose udp routing? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jul 2003 23:17:26 -0000 From: Sean Hafeez [mailto:sahafeez@edgefocus.com] > > i have some users asking about this for gaming. seems to be a hack. i > have my network wide open in the rules. cannot seem to find and thing > about this in freebsd -just a few questons in openbsd and a patch for > linux. anyone know anything? > net.inet.ip.sourceroute: 0 net.inet.ip.accept_sourceroute: 0 may be what you want? From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 15 00:41:19 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAEC637B401 for ; Tue, 15 Jul 2003 00:41:19 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D20C43F75 for ; Tue, 15 Jul 2003 00:41:19 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h6F7fIkN006205; Tue, 15 Jul 2003 00:41:18 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h6F7fD0w006204; Tue, 15 Jul 2003 00:41:13 -0700 (PDT) (envelope-from rizzo) Date: Tue, 15 Jul 2003 00:41:13 -0700 From: Luigi Rizzo To: Patrick Tracanelli Message-ID: <20030715004113.A99565@xorpc.icir.org> References: <3F132237.4010604@freebsdbrasil.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3F132237.4010604@freebsdbrasil.com.br>; from eksffa@freebsdbrasil.com.br on Mon, Jul 14, 2003 at 06:35:51PM -0300 cc: freebsd-ipfw@freebsd.org cc: Diego Linke - GAMK Subject: Re: I have four ideia for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 07:41:20 -0000 On Mon, Jul 14, 2003 at 06:35:51PM -0300, Patrick Tracanelli wrote: ... > The following patches add an "extended" keyword to ipfw2 logging > statements; more detailed logging seemed to be more interesting for some > rules than for others, so just enabling or not, via sysctl sounded too > mandatory. A good idea was to allow usual logging or detailed ones to be > a per-rule definition; There is already room in the O_LOG command header so we do not need to modify ip_fw[2].h to add a field in the structure (helps with binary compatibility). In fact, this would allow different levels of verbosity in the logs. cheers luigi > Expected syntax adds "extended" keyword between log and logamount, say, > "... log extended logamount 2000 tcp from...", where extended stated > rules like: > > 00400 39 1911 allow log extended logamount 800 tcp from me to > 200.210.70.0/24 out xmit wi0 setup // extended log ging to wired network > keep-state > > 00450 368 199919 allow log extended ip from { not me or > 200.230.121.0/24 or 200.210.42.0/24 } to me in recv wi0 //lets analise > incoming trash from wireless to me > 00470 0 0 allow log extended logamount 20000 ip from any to any > via ath0 // ext. log. experiental multimode unwired net > 00500 1000 120379 allow ip from any to any > 65535 0 0 deny ip from any to any > > Will produce logging as: > > Jul 14 17:55:36 redfield-claire kernel: ipfw: 450 Accept UDP > 128.32.136.12:53 200.210.42.5:49476 in via wi0 (ttl 50, id 59167, len 189) > > Jul 14 17:55:36 redfield-claire kernel: ipfw: 400 Accept TCP > 200.210.42.5:49578 200.210.70.4:25 out via wi0 [iptos lowdelay (0x10)] > [ipoptions lsrr,rr (0x05) ttl 64, id 0, len 60] > [tcpflags syn (0x02) tcpoptions window,windowts,window,windowtstimestamp > (0x0a)] ack number 0 seq number 1506862975 > > Jul 14 17:55:36 redfield-claire kernel: ipfw: 400 Accept TCP > 200.210.70.4:25 200.210.42.5:49578 in via wi0 [iptos (0x00)] [ipoptions > lsrr,rr (0x05) ttl 63, id 47927, len 44] [tcpflags syn,ack (0x12) > tcpoptions window,windowsack (0x06)] ack number 1523640191 seq number > 3568599789 > > -- > Atenciosamente, > > Patrick Tracanelli > patrick @ freebsdbrasil.com.br > "Long live Hanin Elias, Kim Deal!" > --- /usr/src/sbin/ipfw/ipfw2.c Mon Jul 14 15:57:41 2003 > +++ /usr/local/freebsdbrasil/cvs_root//usr/src/sbin/ipfw/ipfw2.c Mon Jul 14 17:08:48 2003 > @@ -15,11 +15,11 @@ > * > * This software is provided ``AS IS'' without any warranties of any kind. > * > * NEW command line interface for IP firewall facility > * > - * $FreeBSD: /repoman/r/ncvs/src/sbin/ipfw/ipfw2.c,v 1.35 2003/07/14 18:57:41 luigi Exp $ > + * $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sbin/ipfw/ipfw2.c,v 1.35 2003/07/14 18:57:41 luigi Exp $ > */ > > #include > #include > #include > @@ -1012,17 +1012,19 @@ > default: > printf("** unrecognized action %d len %d", > cmd->opcode, cmd->len); > } > } > - if (logptr) { > - if (logptr->max_log > 0) > - printf(" log logamount %d", logptr->max_log); > - else > - printf(" log"); > - } > > + /* Extended logging */ > + if (logptr) { > + if (logptr->max_log > 0) > + printf(" log%s logamount %d", logptr->extended == 1 ? " extended" : " ", logptr->max_log); > + else > + printf(" log%s",logptr->extended == 1 ? " extended" : ""); > + } > + > /* > * then print the body. > */ > if (rule->_pad & 1) { /* empty rules before options */ > if (!do_compact) > @@ -2880,11 +2882,11 @@ > errx(EX_DATAERR, "invalid action %s\n", av[-1]); > } > action = next_cmd(action); > > /* > - * [log [logamount N]] -- log, optional > + * [log [extended] [logamount N]] -- log, optional > * > * If exists, it goes first in the cmdbuf, but then it is > * skipped in the copy section to the end of the buffer. > */ > if (ac && !strncmp(*av, "log", strlen(*av))) { > @@ -2892,10 +2894,19 @@ > int l; > > cmd->len = F_INSN_SIZE(ipfw_insn_log); > cmd->opcode = O_LOG; > av++; ac--; > + > + /* Extended logging */ > + if (ac && !strncmp(*av, "extended", strlen(*av))) { > + c->extended = 1; > + ac--; av++; > + } > + > + > + > if (ac && !strncmp(*av, "logamount", strlen(*av))) { > ac--; av++; > NEED1("logamount requires argument"); > l = atoi(*av); > if (l < 0) > > --- /usr/src/sys/netinet/ip_fw.h Fri Jul 11 07:02:08 2003 > +++ /usr/local/freebsdbrasil/cvs_root/usr/src/sys/netinet/ip_fw.h Mon Jul 14 16:56:43 2003 > @@ -261,11 +261,11 @@ > */ > typedef struct _ipfw_insn_log { > ipfw_insn o; > u_int32_t max_log; /* how many do we log -- 0 = all */ > u_int32_t log_left; /* how many left to log */ > + u_int32_t extended; /* Extended logging */ > } ipfw_insn_log; > > /* > * Here we have the structure representing an ipfw rule. > * > > --- /usr/src/sys/netinet/ip_fw2.c Sat Jul 12 02:54:17 2003 > +++ /usr/local/freebsdbrasil/cvs_root/usr/src/sys/netinet/ip_fw2.c Mon Jul 14 16:55:45 2003 > @@ -20,15 +20,21 @@ > * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT > * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY > * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF > * SUCH DAMAGE. > * > - * $FreeBSD: /repoman/r/ncvs/src/sys/netinet/ip_fw2.c,v 1.36 2003/07/12 05:54:17 luigi Exp $ > + * $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netinet/ip_fw2.c,v 1.36 2003/07/12 05:54:17 luigi Exp $ > */ > > -#define DEB(x) > -#define DDB(x) x > +#define DEB(x) > +#define DDB(x) x > + > +/* Extended logging */ > +#define GFLAGS_LEN 35 > +#define GIOPTS_LEN 28 > +#define GITOS_LEN 28 > +#define GTOPTS_LEN 55 > > /* > * Implement IP packet firewall (new version) > */ > > @@ -111,10 +117,61 @@ > MALLOC_DEFINE(M_IPFW, "IpFw/IpAcct", "IpFw/IpAcct chain's"); > > static int fw_debug = 1; > static int autoinc_step = 100; /* bounded to 1..1000 in add_rule() */ > > +/* Extended logging */ > + > +struct _s_x { > + char *s; > + int x; > +}; > + > +static struct _s_x f_tcpflags[] = { > + { "syn", TH_SYN }, > + { "fin", TH_FIN }, > + { "ack", TH_ACK }, > + { "psh", TH_PUSH }, > + { "rst", TH_RST }, > + { "urg", TH_URG }, > + { "tcp flag", 0 }, > + { NULL, 0 } > +}; > + > + static struct _s_x f_ipopts[] = { > + { "ssrr", IP_FW_IPOPT_SSRR}, > + { "lsrr", IP_FW_IPOPT_LSRR}, > + { "rr", IP_FW_IPOPT_RR}, > + { "ts", IP_FW_IPOPT_TS}, > + { "ip option", 0 }, > + { NULL, 0 } > +}; > + > +static struct _s_x f_iptos[] = { > + { "lowdelay", IPTOS_LOWDELAY}, > + { "throughput", IPTOS_THROUGHPUT}, > + { "reliability", IPTOS_RELIABILITY}, > + { "mincost", IPTOS_MINCOST}, > + { "congestion", IPTOS_CE}, > + { "ecntransport", IPTOS_ECT}, > + { "ip tos option", 0}, > + { NULL, 0 } > +}; > + > +static struct _s_x f_tcpopts[] = { > + { "mss", IP_FW_TCPOPT_MSS }, > + { "maxseg", IP_FW_TCPOPT_MSS }, > + { "window", IP_FW_TCPOPT_WINDOW }, > + { "sack", IP_FW_TCPOPT_SACK }, > + { "ts", IP_FW_TCPOPT_TS }, > + { "timestamp", IP_FW_TCPOPT_TS }, > + { "cc", IP_FW_TCPOPT_CC }, > + { "tcp option", 0 }, > + { NULL, 0 } > +}; > + > + > #ifdef SYSCTL_NODE > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, > CTLFLAG_RW | CTLFLAG_SECURE3, > &fw_enable, 0, "Enable ipfw"); > @@ -455,17 +512,18 @@ > > /* > * We enter here when we have a rule with O_LOG. > * XXX this function alone takes about 2Kbytes of code! > */ > + > static void > ipfw_log(struct ip_fw *f, u_int hlen, struct ether_header *eh, > struct mbuf *m, struct ifnet *oif) > { > char *action; > - int limit_reached = 0; > - char action2[40], proto[48], fragment[28]; > + int limit_reached = 0, extended = 0; > + char action2[40], proto[48], fragment[28], ipvals[200]; > > fragment[0] = '\0'; > proto[0] = '\0'; > > if (f == NULL) { /* bogus pkt */ > @@ -486,10 +544,13 @@ > limit_reached = l->max_log; > cmd += F_LEN(cmd); /* point to first action */ > if (cmd->opcode == O_PROB) > cmd += F_LEN(cmd); > > + /* Extended logging rule */ > + extended = l->extended; > + > action = action2; > switch (cmd->opcode) { > case O_DENY: > action = "Deny"; > break; > @@ -571,11 +632,11 @@ > switch (ip->ip_p) { > case IPPROTO_TCP: > len = snprintf(SNPARGS(proto, 0), "TCP %s", > inet_ntoa(ip->ip_src)); > if (offset == 0) > - snprintf(SNPARGS(proto, len), ":%d %s:%d", > + len += snprintf(SNPARGS(proto, len), ":%d %s:%d", > ntohs(tcp->th_sport), > inet_ntoa(ip->ip_dst), > ntohs(tcp->th_dport)); > else > snprintf(SNPARGS(proto, len), " %s", > @@ -619,24 +680,78 @@ > if (ip_off & (IP_MF | IP_OFFMASK)) > snprintf(SNPARGS(fragment, 0), " (frag %d:%d@%d%s)", > ntohs(ip->ip_id), ip_len - (ip->ip_hl << 2), > offset << 3, > (ip_off & IP_MF) ? "+" : ""); > + > + if (extended == 1) { > + int i; > + char g_flags[GFLAGS_LEN]="", g_ipopts[GIOPTS_LEN]="", g_iptos[GITOS_LEN]="", g_tcpopts[GTOPTS_LEN]="", comma[1]=""; > + > + u_char set = tcp->th_flags & 0xff; > + u_char setopt = ip->ip_hl & 0xff; > + u_char settos = ip->ip_tos & 0xff; > + u_char settcpopt = tcp->th_off & 0xff; > + > + if (ip->ip_p == 6) { > + for (i=0; f_tcpflags[i].x != 0; i++) > + { > + if (set & f_tcpflags[i].x) > + { > + snprintf(g_flags, GFLAGS_LEN-1, "%s%s%s", g_flags, comma, f_tcpflags[i].s); > + comma[0] = ','; > + } > + } > + comma[0] = NULL; /* reset comma */ > + for (i=0; f_ipopts[i].x != 0; i++) > + { > + if (setopt & f_ipopts[i].x) > + { > + snprintf(g_ipopts, GIOPTS_LEN-1, "%s%s%s", g_ipopts, comma, f_ipopts[i].s); > + comma[0] = ','; > + } > + } > + comma[0] = NULL; /* once again */ > + for (i=0; f_iptos[i].x != 0; i++) > + { > + if (settos & f_iptos[i].x) > + { > + snprintf(g_iptos, GITOS_LEN-1, "%s%s%s", g_iptos, comma, f_iptos[i].s); > + comma[0] = ','; > + } > + } > + comma[0] = NULL; > + for (i=0; f_tcpopts[i].x != 0; i++) > + { > + if (settcpopt & f_tcpopts[i].x) > + { > + snprintf(g_tcpopts, GTOPTS_LEN-1, "%s%s%s", g_tcpopts, comma, f_tcpopts[i].s); > + comma[0] = ','; > + } > + } > + snprintf(SNPARGS(ipvals, 0), " [iptos %s (0x%02x)] [ipoptions %s (0x%02x) ttl %u, id %u, len %u] [tcpflags %s (0x%02x) tcpoptions %s (0x%02x)] ack number %u seq number %u", > + g_iptos, ip->ip_tos, g_ipopts, ip->ip_hl, ip->ip_ttl, ntohs(ip->ip_id), ip_len, > + g_flags, tcp->th_flags, g_tcpopts, tcp->th_off, tcp->th_ack, tcp->th_seq); > + } else { > + snprintf(SNPARGS(ipvals, 0), " (ttl %u, id %u, len %u)", ip->ip_ttl, ntohs(ip->ip_id), ip_len); > + } > + } else > + ipvals[0] = '\0'; > } > if (oif || m->m_pkthdr.rcvif) > log(LOG_SECURITY | LOG_INFO, > - "ipfw: %d %s %s %s via %s%d%s\n", > + "ipfw: %d %s %s %s via %s%d%s%s\n", > f ? f->rulenum : -1, > action, proto, oif ? "out" : "in", > oif ? oif->if_name : m->m_pkthdr.rcvif->if_name, > oif ? oif->if_unit : m->m_pkthdr.rcvif->if_unit, > - fragment); > + fragment, ipvals); > else > log(LOG_SECURITY | LOG_INFO, > - "ipfw: %d %s %s [no if info]%s\n", > + "ipfw: %d %s %s [no if info]%s%s\n", > f ? f->rulenum : -1, > - action, proto, fragment); > + action, proto, fragment, ipvals); > if (limit_reached) > log(LOG_SECURITY | LOG_NOTICE, > "ipfw: limit %d reached on entry %d\n", > limit_reached, f ? f->rulenum : -1); > } > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 15 08:00:10 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E88B137B401 for ; Tue, 15 Jul 2003 08:00:10 -0700 (PDT) Received: from afrodite.gamk.com.br (4-094.ctame701-5.telepar.net.br [200.181.150.94]) by mx1.FreeBSD.org (Postfix) with SMTP id 51FE043FA3 for ; Tue, 15 Jul 2003 08:00:04 -0700 (PDT) (envelope-from linke@calnet.com.br) Received: (qmail 5111 invoked from network); 15 Jul 2003 15:06:46 -0000 Received: from unknown (HELO work.gamk.com.br) (127.0.0.1) by 0 with SMTP; 15 Jul 2003 15:06:46 -0000 Date: Tue, 15 Jul 2003 12:06:46 -0300 From: Diego Linke - GAMK To: freebsd-ipfw@freebsd.org Message-Id: <20030715120646.03f26167.linke@calnet.com.br> In-Reply-To: <20030715004113.A99565@xorpc.icir.org> References: <3F132237.4010604@freebsdbrasil.com.br> <20030715004113.A99565@xorpc.icir.org> X-Mailer: Sylpheed version 0.9.3 (GTK+ 1.2.10; i386--netbsdelf) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: I have four ideia for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 15:00:11 -0000 Hi, > There is already room in the O_LOG command header so we do not need > to modify ip_fw[2].h to add a field in the structure (helps with > binary compatibility). In fact, this would allow different levels of > verbosity in the logs. I am sorry Luigi, but i not understand! We have that to modify struct ipfw_insn_log, to pass one flag saying that one determined rule has log extended. We add an variable for indentify extended logs per rule. See: typedef struct _ipfw_insn_log { ipfw_insn o; u_int32_t max_log; /* how many do we log -- 0 = all */ u_int32_t log_left; /* how many left to log */ u_int32_t extended; /* Extended logs */ } ipfw_insn_log; I do not understand how make this without modify ip_fw.h file. Do you have some idea ? Thanks -- [ Diego Linke - GAMK ] System/Network/Security Administrator E-Mail/Site: gamk@gamk.com.br - http://www.gamk.com.br Public Key: http://www.gamk.com.br/gamk.asc Phone Number: (+5541) 9967-3464 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 15 10:15:23 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08ACF37B401 for ; Tue, 15 Jul 2003 10:15:23 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7668243F93 for ; Tue, 15 Jul 2003 10:15:22 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h6FHFGkN088021; Tue, 15 Jul 2003 10:15:16 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h6FHFGQi088020; Tue, 15 Jul 2003 10:15:16 -0700 (PDT) (envelope-from rizzo) Date: Tue, 15 Jul 2003 10:15:16 -0700 From: Luigi Rizzo To: Diego Linke - GAMK Message-ID: <20030715101516.A87982@xorpc.icir.org> References: <3F132237.4010604@freebsdbrasil.com.br> <20030715004113.A99565@xorpc.icir.org> <20030715120646.03f26167.linke@calnet.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030715120646.03f26167.linke@calnet.com.br>; from linke@calnet.com.br on Tue, Jul 15, 2003 at 12:06:46PM -0300 cc: freebsd-ipfw@freebsd.org Subject: Re: I have four ideia for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 17:15:23 -0000 On Tue, Jul 15, 2003 at 12:06:46PM -0300, Diego Linke - GAMK wrote: > Hi, > > > There is already room in the O_LOG command header so we do not need > > to modify ip_fw[2].h to add a field in the structure (helps with > > binary compatibility). In fact, this would allow different levels of > > verbosity in the logs. > > I am sorry Luigi, but i not understand! > > We have that to modify struct ipfw_insn_log, to pass one flag saying that one determined rule has log extended. you can use spare fields in ipfw_insn o; for that cheers luigi > We add an variable for indentify extended logs per rule. See: > > typedef struct _ipfw_insn_log { > ipfw_insn o; > u_int32_t max_log; /* how many do we log -- 0 = all */ > u_int32_t log_left; /* how many left to log */ > u_int32_t extended; /* Extended logs */ > } ipfw_insn_log; > > I do not understand how make this without modify ip_fw.h file. > > Do you have some idea ? > > Thanks > > -- > [ Diego Linke - GAMK ] > System/Network/Security Administrator > E-Mail/Site: gamk@gamk.com.br - http://www.gamk.com.br > Public Key: http://www.gamk.com.br/gamk.asc > Phone Number: (+5541) 9967-3464 > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 15 11:03:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBBC237B401 for ; Tue, 15 Jul 2003 11:03:49 -0700 (PDT) Received: from afrodite.gamk.com.br (4-094.ctame701-5.telepar.net.br [200.181.150.94]) by mx1.FreeBSD.org (Postfix) with SMTP id 5D9EC43FAF for ; Tue, 15 Jul 2003 11:03:48 -0700 (PDT) (envelope-from linke@calnet.com.br) Received: (qmail 5564 invoked from network); 15 Jul 2003 18:10:43 -0000 Received: from unknown (HELO work.gamk.com.br) (127.0.0.1) by 0 with SMTP; 15 Jul 2003 18:10:43 -0000 Date: Tue, 15 Jul 2003 15:10:42 -0300 From: Diego Linke - GAMK To: freebsd-ipfw@freebsd.org Message-Id: <20030715151042.698b355a.linke@calnet.com.br> In-Reply-To: <20030715101516.A87982@xorpc.icir.org> References: <3F132237.4010604@freebsdbrasil.com.br> <20030715004113.A99565@xorpc.icir.org> <20030715120646.03f26167.linke@calnet.com.br> <20030715101516.A87982@xorpc.icir.org> X-Mailer: Sylpheed version 0.9.3 (GTK+ 1.2.10; i386--netbsdelf) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: I have four ideia for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 18:03:50 -0000 Hi, > you can use spare fields in ipfw_insn o; for that You dont want us to change ip_fw.h, or you only mean that ipfw_insn_log struct should not be modified? Maybe a new struct could be created, say, ipfw_insn_log_ext, or touching the .h would brake the POLA? -- [ Diego Linke - GAMK ] System/Network/Security Administrator E-Mail/Site: gamk@gamk.com.br - http://www.gamk.com.br Public Key: http://www.gamk.com.br/gamk.asc Phone Number: (+5541) 9967-3464 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 15 12:11:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36D7237B439 for ; Tue, 15 Jul 2003 12:11:52 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC35E43F75 for ; Tue, 15 Jul 2003 12:11:51 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h6FJBmkN003210; Tue, 15 Jul 2003 12:11:48 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h6FJBmsI003209; Tue, 15 Jul 2003 12:11:48 -0700 (PDT) (envelope-from rizzo) Date: Tue, 15 Jul 2003 12:11:48 -0700 From: Luigi Rizzo To: Diego Linke - GAMK Message-ID: <20030715121148.A2668@xorpc.icir.org> References: <3F132237.4010604@freebsdbrasil.com.br> <20030715004113.A99565@xorpc.icir.org> <20030715120646.03f26167.linke@calnet.com.br> <20030715101516.A87982@xorpc.icir.org> <20030715151042.698b355a.linke@calnet.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030715151042.698b355a.linke@calnet.com.br>; from linke@calnet.com.br on Tue, Jul 15, 2003 at 03:10:42PM -0300 cc: freebsd-ipfw@freebsd.org Subject: Re: I have four ideia for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2003 19:11:53 -0000 On Tue, Jul 15, 2003 at 03:10:42PM -0300, Diego Linke - GAMK wrote: > Hi, > > > you can use spare fields in ipfw_insn o; for that > > You dont want us to change ip_fw.h, or you only mean that ipfw_insn_log struct should not be modified? > > Maybe a new struct could be created, say, ipfw_insn_log_ext, or touching the .h would brake the POLA? There is spare storage in ipfw_insn (the arg1 field) which can be used by individual instructions to store flags and other data if they fit. The 'extended' flag for log instructions would certainly fit there, and would make the change completely backward compatible, which is a big advantage from every point of view. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 15 17:01:05 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71AE837B41F for ; Tue, 15 Jul 2003 17:01:05 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11A5143F85 for ; Tue, 15 Jul 2003 17:01:05 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h6G00xkN043343; Tue, 15 Jul 2003 17:00:59 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h6G00xA5043342; Tue, 15 Jul 2003 17:00:59 -0700 (PDT) (envelope-from rizzo) Date: Tue, 15 Jul 2003 17:00:59 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Message-ID: <20030715170059.A43216@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Subject: clarification on /etc/rc.firewall ("in via ..." commands etc.) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jul 2003 00:01:05 -0000 Hi, I was looking at /etc/rc.firewall, and noticed that there is a number of rules with "... in via $ifname". Looking at the ipfw1 code: + "in" only matches if a packet has a receive interface associated with it. + "via $ifname" matches 1) the xmit interface is one is associated with the packet, or 2) the receive interface if one is associated with the packet, or 3) it fails if no interfaces are associated with the packet. So, my first question is where in our protocol stack we can have packets with neither receive or xmit interfaces; The second question is whether the sequence "in via $ifname" should be replaced by "in recv $ifname" (which is in my opinion makes it more clear which traffic is being matched. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 15 17:07:50 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BE5037B401 for ; Tue, 15 Jul 2003 17:07:50 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id B535543F3F for ; Tue, 15 Jul 2003 17:07:49 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 83304 invoked from network); 16 Jul 2003 00:07:47 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 16 Jul 2003 00:07:47 -0000 Message-ID: <3F149750.3000301@tenebras.com> Date: Tue, 15 Jul 2003 17:07:44 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Luigi Rizzo References: <20030715170059.A43216@xorpc.icir.org> In-Reply-To: <20030715170059.A43216@xorpc.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: ipfw@freebsd.org Subject: Re: clarification on /etc/rc.firewall ("in via ..." commands etc.) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jul 2003 00:07:50 -0000 Luigi Rizzo wrote: > Hi, > I was looking at /etc/rc.firewall, and noticed that there is a > number of rules with "... in via $ifname". > > Looking at the ipfw1 code: > + "in" only matches if a packet has a receive interface associated with it. > > + "via $ifname" matches > 1) the xmit interface is one is associated with the packet, or > 2) the receive interface if one is associated with the packet, or > 3) it fails if no interfaces are associated with the packet. > > So, my first question is where in our protocol stack we can have > packets with neither receive or xmit interfaces; > > The second question is whether the sequence "in via $ifname" > should be replaced by "in recv $ifname" (which is in my opinion > makes it more clear which traffic is being matched. On a slightly tangential note, isn't it still the case that a packet that gas been returned by natd (or any divert daemon) has lost any knowledge of its "in recv" interface? From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 16 12:14:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5601137B401; Wed, 16 Jul 2003 12:14:17 -0700 (PDT) Received: from octo.sytes.net (h24-86-191-15.ed.shawcable.net [24.86.191.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F96843F93; Wed, 16 Jul 2003 12:14:16 -0700 (PDT) (envelope-from otacon@octo.sytes.net) Received: from octo.sytes.net (localhost [127.0.0.1]) by octo.sytes.net (8.12.9/8.12.9) with ESMTP id h6GJEE2W000213; Wed, 16 Jul 2003 13:14:15 -0600 (MDT) (envelope-from otacon@octo.sytes.net) Received: by octo.sytes.net (8.12.9/8.12.9/Submit) id h6GIp3sp059766; Wed, 16 Jul 2003 12:51:03 -0600 (MDT) From: Patrick C To: freebsd-ipfw@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Date: Wed, 16 Jul 2003 12:51:02 -0600 User-Agent: KMail/1.5.2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200307161251.03252.patrick@filespanker.com> Subject: routing to localhost X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: patrick@filespanker.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jul 2003 19:14:17 -0000 For reasons unknown, any connections to localhost -- tcp, icmp, or udp -- are all originating from my external interface, rl0: $ telnet localhost 25 Trying ::1... Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Can't assign requested address telnet: Unable to connect to remote host IPFW log: Jul 16 12:46:43 octo ipfw: 100 Accept TCP 192.168.1.119:1434 127.0.0.1:25 out via rl0 $ ping localhost PING localhost (127.0.0.1): 56 data bytes ping: sendto: Can't assign requested address $ netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.1.1 UGSc 29 198 rl0 172.16.0.1 00:50:bf:5a:ec:b0 UHLW 0 74 lo0 => 172.16.0.1/32 link#1 UC 1 0 rl0 172.16.0.2 00:50:bf:5a:ec:b0 UHLW 0 524 lo0 => 172.16.0.2/32 link#1 UC 1 0 rl0 172.16.0.3/32 link#1 UC 0 0 rl0 192.168.1 link#1 UC 2 0 rl0 192.168.1.1 00:06:25:82:82:49 UHLW 30 12 rl0 1189 192.168.1.119 00:50:bf:5a:ec:b0 UHLW 0 20 lo0 I notice there is no way entry for 127.0.0.1. How can I add one? From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 16 13:29:50 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8071037B401; Wed, 16 Jul 2003 13:29:50 -0700 (PDT) Received: from octo.sytes.net (h24-86-191-15.ed.shawcable.net [24.86.191.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15CAF43F93; Wed, 16 Jul 2003 13:29:49 -0700 (PDT) (envelope-from otacon@octo.sytes.net) Received: from octo.sytes.net (localhost [127.0.0.1]) by octo.sytes.net (8.12.9/8.12.9) with ESMTP id h6GKTlM5001104; Wed, 16 Jul 2003 14:29:48 -0600 (MDT) (envelope-from otacon@octo.sytes.net) Received: from localhost (localhost [[UNIX: localhost]]) by octo.sytes.net (8.12.9/8.12.9/Submit) id h6GKTl5Z001103; Wed, 16 Jul 2003 14:29:47 -0600 (MDT) From: Patrick C To: freebsd-ipfw@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Date: Wed, 16 Jul 2003 14:29:47 -0600 User-Agent: KMail/1.5.2 References: <200307161251.03252.patrick@filespanker.com> In-Reply-To: <200307161251.03252.patrick@filespanker.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200307161429.47551.patrick@filespanker.com> Subject: Re: routing to localhost X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: patrick@filespanker.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jul 2003 20:29:50 -0000 Fixed. I wasn't aware I needed network_interfaces="rl0 lo0" in /etc/rc.conf. I realize they're not needed at all now. On July 16, 2003 12:51 pm, Patrick C wrote: > For reasons unknown, any connections to localhost -- tcp, icmp, or udp -- > are all originating from my external interface, rl0: > > > $ telnet localhost 25 > Trying ::1... > Trying 127.0.0.1... > telnet: connect to address 127.0.0.1: Can't assign requested address > telnet: Unable to connect to remote host > > IPFW log: > Jul 16 12:46:43 octo ipfw: 100 Accept TCP 192.168.1.119:1434 127.0.0.1:25 > out via rl0 > > > $ ping localhost > PING localhost (127.0.0.1): 56 data bytes > ping: sendto: Can't assign requested address > > > $ netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Refs Use Netif Expire > default 192.168.1.1 UGSc 29 198 rl0 > 172.16.0.1 00:50:bf:5a:ec:b0 UHLW 0 74 lo0 => > 172.16.0.1/32 link#1 UC 1 0 rl0 > 172.16.0.2 00:50:bf:5a:ec:b0 UHLW 0 524 lo0 => > 172.16.0.2/32 link#1 UC 1 0 rl0 > 172.16.0.3/32 link#1 UC 0 0 rl0 > 192.168.1 link#1 UC 2 0 rl0 > 192.168.1.1 00:06:25:82:82:49 UHLW 30 12 rl0 1189 > 192.168.1.119 00:50:bf:5a:ec:b0 UHLW 0 20 lo0 > > > I notice there is no way entry for 127.0.0.1. How can I add one? > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 16 13:47:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5364637B404; Wed, 16 Jul 2003 13:47:17 -0700 (PDT) Received: from octo.sytes.net (h24-86-191-15.ed.shawcable.net [24.86.191.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3329543F93; Wed, 16 Jul 2003 13:47:16 -0700 (PDT) (envelope-from otacon@octo.sytes.net) Received: from octo.sytes.net (localhost [127.0.0.1]) by octo.sytes.net (8.12.9/8.12.9) with ESMTP id h6GKlFM5001174; Wed, 16 Jul 2003 14:47:15 -0600 (MDT) (envelope-from otacon@octo.sytes.net) Received: from localhost (localhost [[UNIX: localhost]]) by octo.sytes.net (8.12.9/8.12.9/Submit) id h6GKlFDm001173; Wed, 16 Jul 2003 14:47:15 -0600 (MDT) From: Patrick C To: freebsd-ipfw@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Date: Wed, 16 Jul 2003 14:47:15 -0600 User-Agent: KMail/1.5.2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200307161447.15141.patrick@filespanker.com> Subject: accessing a jail via localhost X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: patrick@filespanker.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jul 2003 20:47:17 -0000 I'm facing a problem with accessing a HTTPd (Apache) jail locally. Consider this jail scenario: /etc/hosts: 127.0.0.1 localhost foo.com 172.16.0.1 apache /etc/natd.conf: use_sockets yes same_ports yes unregistered_only yes redirect_port tcp 172.16.0.1:80 80 redirect_port tcp 172.16.0.1:443 443 /etc/firewall.sh ... ${fwcmd} add divert natd all from any to any via ${oif}(IPFW) ... rl0, my external net inferface, is aliased to 172.16.0.1. Apache 1.3 is installed in /usr/jail/httpd. There are directives for 5 different hosts, one of them is foo.com. The problem is created by the fact that the hostname of this system is "foo.com", aliased to 127.0.0.1 in /etc/hosts. If I try to access the httpd with http://172.16.0.1/, the page for foo.com doesn't appear, only the default page for Apache ("Welcome to Apache!"). However, http://foo.com/ can be accessed remotely because natd will actually forward it to the jail if the request originates outside of this machine. If it were as easy as changing foo.com to 172.16.0.1 in the hosts file, I would, but other services are dependent on the hostname. I've also tried this rule with IPFW: {fwcmd} add fwd 172.16.0.2,80 tcp from any to localhost 80 ...any suggestions? Help is very much appreciated.