From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 7 07:02:48 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CC5516A4CE for ; Sun, 7 Dec 2003 07:02:48 -0800 (PST) Received: from mta10.adelphia.net (mta10.adelphia.net [68.168.78.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72D3343F85 for ; Sun, 7 Dec 2003 07:02:46 -0800 (PST) (envelope-from fbsd_user@a1poweruser.com) Received: from barbish ([67.20.101.103]) by mta10.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20031207150249.ILXV25110.mta10.adelphia.net@barbish>; Sun, 7 Dec 2003 10:02:49 -0500 From: "fbsd_user" To: "Michael Lopez" , Date: Sun, 7 Dec 2003 10:02:45 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <20031207051920.87731.qmail@web20725.mail.yahoo.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: RE: ipfw + natd + ppp X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fbsd_user@a1poweruser.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2003 15:02:48 -0000 FYI IPFW and stateful rules has an long time bug when used with IPFW's built in NATD function. User ppp has it's own NAT function. You are much better off using User ppp and it's built in NAT function and IPFW without the divert rule. On the other hand FBSD also has an second firewall called IPFILTER and it has it's own NAT function called IPNAT. Both IPFW and IPFILTER come embedded in FBSD as part of the install. IPFW is authored by the FBSD project and as such it gets unfair preferred treatment in the FBSD handbook. The handbook leads the reader into believing IPFW is the only firewall FBSD has to offer. IPFW is targeted at the professional and the home power user, not the newbe. IPFW is loaded with code bloat and is getting worse now that it has been rewritten as IPFW2 and the bug was not fixed because it's in the NATD module and that was not rewritten. IPFW is not user friendly and IPFILTER is much more user friendly and it's stateful rules work without any problems. People who are members of the IPFW maintenance team tell me the MATD module code is an can of worms and nobody wants to touch it. If you decide to use IPFILTER I can point you to an very good how-to. And as a side note in FBSD 4.9 the ports collection has an new port added for the IPF firewall. So you really have 3 chooses of firewall software. I have not tested the IPF port so I have no comments on it yet. -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Michael Lopez Sent: Sunday, December 07, 2003 12:19 AM To: freebsd-ipfw@freebsd.org Subject: ipfw + natd + ppp Hello all, I was wondering if you guys have a good URL for ipfw + ppp (dial up) + natd for private network (exp: 192.168.0.0) tutorials or resources ? I tried to search at google.com/bsd but hardly can't find a good one for dial up (also tried freebsd.org ; defcon.org ; freebsddiaries ; freebsdhowtos) thank you. --------------------------------- Do you Yahoo!? Free Pop-Up Blocker - Get it now _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 7 08:49:46 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D3CA16A4CE; Sun, 7 Dec 2003 08:49:46 -0800 (PST) Received: from mta9.adelphia.net (mta9.adelphia.net [68.168.78.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8214043F75; Sun, 7 Dec 2003 08:49:44 -0800 (PST) (envelope-from fbsd_user@a1poweruser.com) Received: from barbish ([67.20.101.103]) by mta9.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20031207164948.WEMO23237.mta9.adelphia.net@barbish>; Sun, 7 Dec 2003 11:49:48 -0500 From: "fbsd_user" To: Date: Sun, 7 Dec 2003 11:49:42 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal cc: freebsd-ipfw@freebsd.org cc: "freebsd-questions@FreeBSD. ORG" Subject: FreeBSD IPFW/IPFILTER & sysctl MIB's X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fbsd_user@a1poweruser.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2003 16:49:46 -0000 Renaud Read your how-to at http://renaud.waldura.com/doc/freebsd/firewall/ and first want to say I can tell from what you wrote that you really know your security subject. The only think lacking, is your IPFW rules are all stateless, you should really address the subject of only using stateful rules [ie: keep state] on all allow rules. I am glad to meet you. All the things below which I cut out of your how-to are MIB's in sysctl, enabling them in the kernel source, or the setup rc.conf, or in sysctl really makes no difference. I have asked this question repeatedly over the months in the FBSD questions list and get no answer so I ran my own test bench tests. The question is, who get access to the packets first, these MIB's or the firewall? Now my test bench tests demonstrate that once IPFW or IPFILTER is enabled either in the kernel source or in the rc.conf to load the module, all these MIBS are for all practical purposes become inactive. I used log-in-vain because it gives log message when it drops an packet and it stops issuing messages when the firewall gets enabled. I am not an accomplished code reader so I could not follow the original FBSD system source code. But it looks like at the very least the firewall code gets access to the packets before the MIB's do, and all the things the MIB's are suppose to do are taken care of by the firewall before the MIB's get their turn at the packets. OR at the very worse the firewall code replaces the code where these MIB's live and they never get there turn at the packets. What is happening at this level of the system is way over my abilities to figure out. It's my conclusions that these MIB's and some others are only effective without an firewall, they are really an poor man's firewall. Now there is no documentation in FBSD that talks about this, the man pages are so cryptic and ambiguous that it's useless, all they say is that these MIB's exist, what good is that? Don't get me started on the poor sub standard quality of FBSD documentation, that's a whole another question. Since these MIB's seem not to cause any harm when used with an firewall I all ways recommend to enable them in sysctl, one can not be to safe. Can you shed any light on this question? Thanks In kernel source options TCP_DROP_SYNFIN # drop TCP packets with SYN+FIN options TCP_RESTRICT_RST # restrict emission of TCP RST options ICMP_BANDLIM # rate limit ICMP replies In rc.conf tcp_drop_synfin=YES tcp_restrict_rst=YES icmp_bmcastecho=NO icmp_drop_redirect=YES icmp_log_redirect=YES sysctl.conf net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 net.inet.tcp.log_in_vain=1 net.inet.udp.log_in_vain=1 From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 7 10:37:42 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 954D116A4CE for ; Sun, 7 Dec 2003 10:37:42 -0800 (PST) Received: from mta11.adelphia.net (mta11.adelphia.net [68.168.78.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 17C7843F3F for ; Sun, 7 Dec 2003 10:37:41 -0800 (PST) (envelope-from tscrum@1wisp.com) Received: from wolf ([68.235.82.98]) by mta11.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP id <20031207183744.JECC13090.mta11.adelphia.net@wolf>; Sun, 7 Dec 2003 13:37:44 -0500 From: "Thomas S. Crum" To: , "'Michael Lopez'" , Date: Sun, 7 Dec 2003 13:37:32 -0500 Organization: 1WISP, Inc. Message-ID: <003801c3bcf1$30866480$6252eb44@wolf> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 In-Reply-To: Importance: Normal Subject: RE: ipfw + natd + ppp X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2003 18:37:42 -0000 The first thing you need to do is get ppp working, making its connection, etc. Just use console on the box until this is completed. 2nd would be to rebuild the kernel for nat and get it working. There are tutorials on these topics in the freebsd handbook. For ppp: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/userppp.html And for nat: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.h tml Best, Tom -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of fbsd_user Sent: Sunday, December 07, 2003 10:03 AM To: Michael Lopez; freebsd-ipfw@freebsd.org Subject: RE: ipfw + natd + ppp FYI IPFW and stateful rules has an long time bug when used with IPFW's built in NATD function. User ppp has it's own NAT function. You are much better off using User ppp and it's built in NAT function and IPFW without the divert rule. On the other hand FBSD also has an second firewall called IPFILTER and it has it's own NAT function called IPNAT. Both IPFW and IPFILTER come embedded in FBSD as part of the install. IPFW is authored by the FBSD project and as such it gets unfair preferred treatment in the FBSD handbook. The handbook leads the reader into believing IPFW is the only firewall FBSD has to offer. IPFW is targeted at the professional and the home power user, not the newbe. IPFW is loaded with code bloat and is getting worse now that it has been rewritten as IPFW2 and the bug was not fixed because it's in the NATD module and that was not rewritten. IPFW is not user friendly and IPFILTER is much more user friendly and it's stateful rules work without any problems. People who are members of the IPFW maintenance team tell me the MATD module code is an can of worms and nobody wants to touch it. If you decide to use IPFILTER I can point you to an very good how-to. And as a side note in FBSD 4.9 the ports collection has an new port added for the IPF firewall. So you really have 3 chooses of firewall software. I have not tested the IPF port so I have no comments on it yet. -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Michael Lopez Sent: Sunday, December 07, 2003 12:19 AM To: freebsd-ipfw@freebsd.org Subject: ipfw + natd + ppp Hello all, I was wondering if you guys have a good URL for ipfw + ppp (dial up) + natd for private network (exp: 192.168.0.0) tutorials or resources ? I tried to search at google.com/bsd but hardly can't find a good one for dial up (also tried freebsd.org ; defcon.org ; freebsddiaries ; freebsdhowtos) thank you. --------------------------------- Do you Yahoo!? Free Pop-Up Blocker - Get it now _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 7 18:43:48 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70E3B16A4CE for ; Sun, 7 Dec 2003 18:43:48 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB96443F3F for ; Sun, 7 Dec 2003 18:43:44 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.24; FreeBSD 5.1) id 1ATBJo-0006ve-U7; Mon, 08 Dec 2003 10:40:16 +0800 Message-Id: <6.0.0.22.2.20031208104427.029dc538@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Mon, 08 Dec 2003 10:47:00 +0800 To: "Ken Joostens" From: Ganbold In-Reply-To: References: <6.0.0.22.2.20031205202453.02a0fd78@202.179.0.80> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-ipfw@freebsd.org Subject: RE: bridged ipfw problem in FreeBSD 5.2beta X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 02:43:48 -0000 Hi, Thanks for reply. I think IPFW2 is default in FreeBSD 5.x Current branch, so I don't need to define options IPF2 in kernel config and compile all other sources with DIPFW2 Ganbold At 01:53 AM 06.12.2003, you wrote: >Hi, > >I had a similar problem myself on my new bridge. Apperently when you do deny >ip from any to any, it also matches 'layer2'-packets like ARP, which means >they will not be propagated. After some time the connection dies... There >are no rules in ipfw to allow ARP traffic, the only rule that matches it is >'ip from any to any'. But! ipfw2 does to layer2 filtering, you can filter on >MAC address and allow/deny ARP traffic. >What I did is the following: > >Run /stand/sysinstall (as root), choose Configure -> Distributions, then >src, and then lib, sbin and sys. > >To compile libalias: >cd /usr/src/lib/libalias >make -DIPFW2 >make install > >To compile ipfw: >cd /usr/src/sbin/ipfw >make -DIPFW2 >make install > >Build a Kernel with: >cd /usr/src/sys/i386/conf >options IPFW2 > >or if you would like to do a make buildworld etc. put IPFW2=TRUE in >/etc/make.conf > >IPFW2 has a few advantages, over like layer2 filtering, there are options to >filter based on the length of the package, for example to block nachi.. deny >icmp from any to any iplen 92 > >Regards, >Ken > > > >-----Original Message----- >From: owner-freebsd-ipfw@freebsd.org >[mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Ganbold >Sent: Friday, December 05, 2003 4:42 AM >To: freebsd-ipfw@freebsd.org >Subject: bridged ipfw problem in FreeBSD 5.2beta > > >Hi, > >I'm new to ipfw and I have configured ipfw in Pentium 4 2GHz, 18GB HDD, >128MB RAM computer. >This computer will work as a bridge. It has 3 Intel Pro 100Mb cards, 2 for >bridging and 1 for just connection to this computer >from remote machine. >Bridging work just fine, but after 4 hours it doesn't work. It happened 3 >times, all after 4 hours of operation. >Machine itself was working fine, only it seems it doesn't >forward packets from internal interface to external or internal interface >didn't receive anything. > >Can somebody tell me where I did wrong in config files? Is it problem with >NIC or problem with bridge? >Or is it problem related to arp? > >I'm asking a lot of questions in one time, but I really need to install and >use bridging firewall and >I hope somebody in this list point me to the right direction. > > >thanks in advance, > >Ganbold Ts. >Mongolia > >---------------------------------------------------------------------------- >-------------------------------------------------------------------- > >In kernel config I included: >---------------------------------------------------------------------------- >----------------------- >options IPFIREWALL >options IPFIREWALL_VERBOSE >options IPFIREWALL_VERBOSE_LIMIT=100 > >options IPDIVERT >options TCPDEBUG >options IPSTEALTH >options TCP_DROP_SYNFIN > >options DUMMYNET >options HZ=1000 >options BRIDGE >---------------------------------------------------------------------------- >----------------------- > >In sysctl.conf I included: >---------------------------------------------------------------------------- >----------------------- > >net.link.ether.bridge_cfg=fxp0:0,fxp1:0 >net.link.ether.bridge_ipfw=1 >net.link.ether.bridge.enable=1 > >net.inet.ip.fw.one_pass=0 >security.bsd.see_other_uids=0 >net.link.ether.inet.max_age=1200 >kern.ipc.somaxconn=1024 >net.inet.tcp.sendspace=32768 >net.inet.tcp.recvspace=32768 > >net.inet.ip.sourceroute=0 >net.inet.ip.accept_sourceroute=0 >net.inet.icmp.bmcastecho=0 >net.inet.icmp.maskrepl=0 > >net.inet.tcp.blackhole=2 >net.inet.udp.blackhole=1 > >net.inet.ip.fw.dyn_ack_lifetime=3600 >net.inet.ip.fw.dyn_udp_lifetime=10 >net.inet.ip.fw.dyn_buckets=1024 >---------------------------------------------------------------------------- >----------------------- > >Following is my rc.conf script: > >---------------------------------------------------------------------------- >----------------------- >network_interfaces="fxp0 fxp1 fxp2 lo0" > >accounting_enable="YES" >hostname="fw.ub.mng.net" >defaultrouter="202.179.xxx.xxx" >ifconfig_fxp1="media 100baseTX mediaopt full-duplex" >ifconfig_fxp2="inet 202.179.xxx.xxx netmask 255.255.255.248 media 100baseTX >mediaopt full-duplex" > >inetd_enable="YES" >kern_securelevel_enable="NO" >sendmail_enable="NONE" >sshd_enable="YES" >usbd_enable="YES" > >firewall_enable="YES" >firewall_script="/etc/rc.firewall" >firewall_type="custom" >firewall_quiet="NO" > >log_in_vain=1 >icmp_drop_redirect="YES" >icmp_log_redirect=YES >tcp_drop_synfin="YES" >tcp_restrict_rst="YES" >---------------------------------------------------------------------------- >----------------------- > >Following is my rc.firewall part: >---------------------------------------------------------------------------- >----------------------- >.. >[Cc][Uu][Ss][Tt][Oo][Mm]) > ># 0 is external and 1 is internal nic >fwinterface0="fxp0" >fwinterface1="fxp1" > >${fwcmd} -f flush > >######################## CLASS A,B,C ######################### ># Things that we have kept state on before get to go through in a hurry >${fwcmd} add 10 check-state > ># Denying Class A IP spoofing. ># NOTE: REMARK these lines if you have intranet clients with Class A IP. >${fwcmd} add 20 deny all from any to 10.0.0.0/8 via fxp0 >${fwcmd} add 21 deny all from 10.0.0.0/8 to any via fxp0 > ># Denying Class B IP spoofing. ># NOTE: REMARK these lines if you have intranet clients with Class B IP. >${fwcmd} add 22 deny all from any to 172.16.0.0/12 via fxp0 >${fwcmd} add 23 deny all from 172.16.0.0/12 to any via fxp0 > ># Denying Class C IP spoofing. ># NOTE: REMARK these lines if you have intranet clients with Class C IP. >${fwcmd} add 24 deny all from any to 192.168.0.0/16 via fxp0 >${fwcmd} add 25 deny all from 192.168.0.0/16 to any via fxp0 > >######################### CLASS D,E ######################### > ># Denying Class D, E IP spoofing. ># Refer to: draft-manning-dsua-03.txt for more information about Class D/E >IP. >${fwcmd} add 26 deny all from any to 0.0.0.0/8 via fxp0 >${fwcmd} add 27 deny all from 0.0.0.0/8 to any via fxp0 > >${fwcmd} add 28 deny all from any to 192.0.2.0/24 via fxp0 >${fwcmd} add 29 deny all from 192.0.2.0/24 to any via fxp0 > >${fwcmd} add 30 deny all from any to 169.254.0.0/16 via fxp0 >${fwcmd} add 31 deny all from 169.254.0.0/16 to any via fxp0 > >${fwcmd} add 32 deny all from any to 224.0.0.0/4 via fxp0 >${fwcmd} add 33 deny all from 224.0.0.0/4 to any via fxp0 > >####################### DUMMYNET config ####################### > ># apply DUMMYNET bandwidth here > ># micom >${fwcmd} pipe 41 config bw 0kbit/s >${fwcmd} pipe 42 config bw 0kbit/s > >${fwcmd} add 60 pipe 41 all from 202.179.xxx.xxx/27 to any in via fxp1 >${fwcmd} add 61 pipe 42 all from any to 202.179.xxx.xxx/27 in via fxp0 > >#glinkor >${fwcmd} pipe 43 config bw 128kbit/s >${fwcmd} pipe 44 config bw 128kbit/s > >${fwcmd} add 62 pipe 43 all from 202.179.xxx.xxx/29 to any in via fxp1 >${fwcmd} add 63 pipe 44 all from any to 202.179.xxx.xxx/29 in via fxp0 > >######################### STANDARDS ######################### > ># Allow TCP through if setup succeeded >${fwcmd} add 100 pass tcp from any to any established > ># Allow the bridge machine to say anything it wants ># (if the machine is IP-less do not include these rows) >${fwcmd} add 200 pass tcp from 202.179.xxx.xxx to any setup keep-state >${fwcmd} add 210 pass udp from 202.179.xxx.xxx to any keep-state >${fwcmd} add 220 pass ip from 202.179.xxx.xxx to any > ># Allowing connections through localhost. >${fwcmd} add 300 pass all from any to any via lo0 ># pass ARP >${fwcmd} add 301 pass udp from 0.0.0.0 2054 to 0.0.0.0 > ># Allow the inside hosts to say anything they want >${fwcmd} add pass tcp from any to any in via fxp1 setup keep-state >${fwcmd} add pass udp from any to any in via fxp1 keep-state >${fwcmd} add pass ip from any to any in via fxp1 > >${fwcmd} add pass tcp from any to any in via fxp2 setup keep-state >${fwcmd} add pass udp from any to any in via fxp2 keep-state >${fwcmd} add pass ip from any to any in via fxp2 > >######################### RESTRICTIONS ######################### > > ># Allowing SSH,web connection and LOG all incoming connections. >${fwcmd} add pass log tcp from any to any 22 in via fxp0 setup keep-state >${fwcmd} add pass tcp from any to any 80,443 in via fxp0 setup keep-state > ># Allowing and LOG all INCOMING, outgoing FTP, telnet, SMTP, POP3, ident, >imap conections. >${fwcmd} add pass tcp from any to any 20-21,23,25,110,113,143 in via >fxp0 setup keep-state >${fwcmd} add pass udp from any to any 20-21,23,25,110,113,143 in via fxp0 >keep-state > ># Pass the "quarantine" range >${fwcmd} add pass tcp from any to any 40000-65535 in via fxp0 setup >keep-state >${fwcmd} add pass udp from any to any 40000-65535 in via fxp0 keep-state > ># MSN, Yahoo >${fwcmd} add pass tcp from any to any 1863,5050 in via fxp0 setup keep-state >${fwcmd} add pass udp from any to any 1863,5050 in via fxp0 keep-state > ># additional MSN ports >${fwcmd} add pass tcp from any to any 6891-6901,6801,2001-2120,7801-7825 in >via fxp0 setup keep-state >${fwcmd} add pass udp from any to any 6891-6901,6801,2001-2120,7801-7825 in >via fxp0 keep-state > ># additional h323,yahoo ports >${fwcmd} add pass tcp from any to any >1719-1721,5000-5010,5100,5190,8010,8100 in via fxp0 setup keep-state >${fwcmd} add pass udp from any to any >1719-1721,5000-5010,5100,5190,8010,8100 in via fxp0 keep-state > ># allow radius >${fwcmd} add pass tcp from any to any 1645,1646,1812,1813 in via >fxp0 setup keep-state >${fwcmd} add pass udp from any to any 1645,1646,1812,1813 in via fxp0 >keep-state > ># Allowing mysql,Jabber,IRC,chat,SOCKS,HTTP proxy. >${fwcmd} add pass tcp from any to any >1080,3306,5222,5223,5269,6667,8000,8080 in via fxp0 setup keep-state >${fwcmd} add pass udp from any to any >1080,3306,5222,5223,5269,6667,8000,8080 in via fxp0 keep-state > ># additional eMule ports >${fwcmd} add pass tcp from any to any 2323,4242,4243,4661-4672,7700-7800 in >via fxp0 setup keep-state >${fwcmd} add pass udp from any to any 2323,4242,4243,4661-4672,7700-7800 in >via fxp0 keep-state > ># Allowing DNS lookups. >${fwcmd} add pass tcp from any to any 53 in via fxp0 setup keep-state >${fwcmd} add pass udp from any to any 53 in via fxp0 keep-state >${fwcmd} add pass udp from any 53 to any in via fxp0 keep-state > >#${fwcmd} add pass tcp from any to any 53 out via fxp0 setup keep-state >#${fwcmd} add pass udp from any to any 53 out via fxp0 keep-state > >######################### ICMP ######################### > ># Allowing outgoing PINGs. ># Allowing "Destination Unreachable" "Source Quench" "Time Exceeded" and >"Bad Header". >${fwcmd} add pass icmp from any to any icmptypes 0,3,4,8,11,12 > ># Allowing IP fragments to pass through. >${fwcmd} add 65000 pass all from any to any frag > ># Everything else is suspect >${fwcmd} add drop log ip from any to any > ;; > >---------------------------------------------------------------------------- >----------------------- > > > > > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 7 18:55:05 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9CF8016A4CE for ; Sun, 7 Dec 2003 18:55:05 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4D3A43FF2 for ; Sun, 7 Dec 2003 18:54:49 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.24; FreeBSD 5.1) id 1ATBUW-00070r-95; Mon, 08 Dec 2003 10:51:20 +0800 Message-Id: <6.0.0.22.2.20031208104708.029d8cc0@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Mon, 08 Dec 2003 10:58:03 +0800 To: Jon Simola From: Ganbold In-Reply-To: <20031205163656.H38868-100000@tyberius.abccom.bc.ca> References: <6.0.0.22.2.20031205202453.02a0fd78@202.179.0.80> <20031205163656.H38868-100000@tyberius.abccom.bc.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-ipfw@freebsd.org Subject: Re: bridged ipfw problem in FreeBSD 5.2beta X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 02:55:05 -0000 Hi, Thanks for reply. How can check bridge collision? I checked netstat -in to see network card states. But there is no any collisions. One strange thing is even after reboot bridge doesn't work. Traffics from outside is coming to external interface but there is no traffic coming to internal interface. I rebooted several times, even I tried manually restart ipfw like /etc/rc.d/ipfw restart. But no luck. Then I disconnected cable from external card and connected directly to my switch Cisco 4006 in order to pass all traffic directly without bridge. It of course worked. Then I disconnected back the cable and connected again to bridge machine external network card again. It didn't work. Then I tried to restart ipfw and it worked again luckily. Does somebody have any idea? At 08:57 AM 06.12.2003, you wrote: >On Fri, 5 Dec 2003, Ganbold wrote: > > > Bridging work just fine, but after 4 hours it doesn't work. It happened > > 3 times, all after 4 hours of operation. Machine itself was working > > fine, only it seems it doesn't forward packets from internal interface > > to external or internal interface didn't receive anything. > >This sounded awfully familiar to me, so I did a little looking. I had a >similar problem that I never completely tracked down, but I believe it had >something to do with a bunch of devices (DLink DSL modems) that came >poorly configured. This was on a 4.4-STABLE era FreeBSD box. Perhaps >5.2Beta is a bit too bleeding edge for you, I'm still testing a >5.1-RELEASE box and my servers are still on the 4-STABLE track. > >Anyways, at one point, there was 40 of those modems all trying to arp for >a single IP address and the bridging code was constantly spewing bridge >collision errors. After a while, the firewall completely stopped passing >traffic until rebooted. > >My solution was to block the traffic from the MAC address range of those >DSL modems as the first ipfw rule. > > > Can somebody tell me where I did wrong in config files? Is it problem > > with NIC or problem with bridge? Or is it problem related to arp? > >My compliments on the amount of detail you've provided. I don't see >anything obvious, other that the slightly confusing aspect of explictly >numbering ipfw rules for the first half of the script. > > > ${fwcmd} pipe 41 config bw 0kbit/s > > ${fwcmd} pipe 42 config bw 0kbit/s > > > > ${fwcmd} add 60 pipe 41 all from 202.179.xxx.xxx/27 to any in via fxp1 > > ${fwcmd} add 61 pipe 42 all from any to 202.179.xxx.xxx/27 in via fxp0 This is for traffic shaping purpose. 0 means unlimited bandwidth:) >That gave me a good chuckle, I would guess that you've shut off a >customer's access for some reason. Giving them 0 bandwidth is certainly a >solution that had never crossed my mind. > > > options TCPDEBUG > > options IPSTEALTH > >TCPDEBUG is undocumented, and IPSTEALTH may not be required. I don't use >IPSTEALTH myself, never saw a real need. Might want to try without them, >TCPDEBUG sounds scary. Yes, those I just included if there will be some case when it needs. > > net.link.ether.inet.max_age=1200 > > > > net.inet.ip.sourceroute=0 > > net.inet.ip.accept_sourceroute=0 > > net.inet.icmp.bmcastecho=0 > > net.inet.icmp.maskrepl=0 > > > > net.inet.tcp.blackhole=2 > > net.inet.udp.blackhole=1 > > > > net.inet.ip.fw.dyn_ack_lifetime=3600 > > net.inet.ip.fw.dyn_udp_lifetime=10 > > net.inet.ip.fw.dyn_buckets=1024 > >These look fairly good to me, I haven't had to go so far as touching most >of them on my current box (P4 2.4GHz, with 2 Intel Pro100 and a 3C905, >peaking at 40Mbit) > >--- >Jon Simola | "In the near future - corporate networks > Systems Administrator | reach out to the stars, electrons and light > ABC Communications | flow throughout the universe." -- GITS > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 8 11:05:28 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFDCD16A4CF for ; Mon, 8 Dec 2003 11:05:28 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09FC944082 for ; Mon, 8 Dec 2003 11:02:07 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id hB8J27FY057355 for ; Mon, 8 Dec 2003 11:02:07 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id hB8J26Kt057349 for ipfw@freebsd.org; Mon, 8 Dec 2003 11:02:06 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 8 Dec 2003 11:02:06 -0800 (PST) Message-Id: <200312081902.hB8J26Kt057349@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 19:05:29 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 1 problem total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 8 13:40:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54D1116A4CE for ; Mon, 8 Dec 2003 13:40:26 -0800 (PST) Received: from mail2.northnetworks.ca (dev.eagle.ca [209.167.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3544943D31 for ; Mon, 8 Dec 2003 13:40:25 -0800 (PST) (envelope-from iaccounts@northnetworks.ca) Received: from [127.0.0.1] (dev.eagle.ca [209.167.58.10]) by mail2.northnetworks.ca (8.12.9/8.12.3) with ESMTP id hB8LbVCn072416 for ; Mon, 8 Dec 2003 16:37:32 -0500 (EST) (envelope-from iaccounts@northnetworks.ca) From: Steve Bertrand To: freebsd-ipfw@freebsd.org Content-Type: text/plain Organization: Northumberland Network Services Message-Id: <1070919576.704.159.camel@ptp.northnetworks.ca> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Mon, 08 Dec 2003 16:39:37 -0500 Content-Transfer-Encoding: 7bit Subject: Perl IPFW script X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: iaccounts@northnetworks.ca List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 21:40:26 -0000 I have recently developed a perl FreeBSD script which works flawlessly when run at the command prompt, but does not run at startup. I have the standard entry for firewall_script="/path/scriptname" in /etc/rc.conf, but it won't load. Any suggestions? -- Steve Bertrand President/CTO, Northumberland Network Services t: 905.352.2688 w: www.northnetworks.ca From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 8 13:45:21 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D063116A4D3 for ; Mon, 8 Dec 2003 13:45:21 -0800 (PST) Received: from warspite.cnchost.com (warspite.concentric.net [207.155.248.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9902743D24 for ; Mon, 8 Dec 2003 13:44:59 -0800 (PST) (envelope-from jetman@mycbc.com) Received: from EAGLE (216.66.58.169.cyberwarp.net [216.66.58.169]) by warspite.cnchost.com id QAA02530; Mon, 8 Dec 2003 16:44:36 -0500 (EST) [ConcentricHost SMTP Relay 1.16] Errors-To: Message-ID: <007301c3bdd5$28713f60$3200a8c0@CBCOFFICE> From: "The Jetman" To: "FBSD IPFW" References: <000601c3bd22$eea7fbf0$0a00a8c0@Nass> <20031207211448.D96687@odysseus.silby.com> Date: Mon, 8 Dec 2003 16:05:07 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4922.1500 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4925.2800 Subject: Re: Translate MAC address to IP address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 21:45:21 -0000 Mike: Am I mistaken or can MAC-oriented IPFW2 rules be used along side IP-oriented rules ? I ask bec I setup a very simple script that would filter all but a couple of MAC addrs then fwd incoming IPs to an internal web site. I *thought* I tried all of the reasonable combinations, but I TOO would like to know more about this. That is, I can filter certain MAC addrs *OR* I can filter/forward certain IPS, but I can't do both in the same IPFW script. Later....Jet =============== From the desk of Jethro Wright, III ================ + Nothing causes self-delusion quite so readily as power. = === jetman516 at hotmail.com ====================== Liu Binyan === ----- Original Message ----- From: "Mike Silbersack" To: "Dan Constantinescu" Cc: Sent: Sunday, December 7, 2003 22:15 PM Subject: Re: Translate MAC address to IP address > > On Mon, 8 Dec 2003, Dan Constantinescu wrote: > > > My name is Dan , and i would ask you for help...how can i filter users > > from a LAN to acces internet throuh a freebsd server (i've installed it) > > by MAC? Or i need a script to bind ip to mac? Thank's Dan. > > > If you're running a recent release of freebsd (4.8 or later should do), > you can recompile your kernel with IPFW2, which supports filtering by mac > addresses; see the ipfw manpage for more information. > > IPFW2 is the default in 5.x, so you wouldn't need to recompile if you're > running 5.x. > > Mike "Silby" Silbersack > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 8 13:49:53 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B2D016A4CE for ; Mon, 8 Dec 2003 13:49:53 -0800 (PST) Received: from mail2.northnetworks.ca (dev.eagle.ca [209.167.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2AEDB43D34 for ; Mon, 8 Dec 2003 13:49:51 -0800 (PST) (envelope-from iaccounts@northnetworks.ca) Received: from [127.0.0.1] (dev.eagle.ca [209.167.58.10]) by mail2.northnetworks.ca (8.12.9/8.12.3) with ESMTP id hB8LksCn072478 for ; Mon, 8 Dec 2003 16:46:54 -0500 (EST) (envelope-from iaccounts@northnetworks.ca) From: Steve Bertrand To: freebsd-ipfw@freebsd.org In-Reply-To: <1070919576.704.159.camel@ptp.northnetworks.ca> References: <1070919576.704.159.camel@ptp.northnetworks.ca> Content-Type: text/plain Organization: Northumberland Network Services Message-Id: <1070920144.704.166.camel@ptp.northnetworks.ca> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Mon, 08 Dec 2003 16:49:04 -0500 Content-Transfer-Encoding: 7bit Subject: Re: Perl IPFW script X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: iaccounts@northnetworks.ca List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 21:49:53 -0000 > I have recently developed a perl FreeBSD script which works flawlessly > when run at the command prompt, but does not run at startup. I have the > standard entry for firewall_script="/path/scriptname" in /etc/rc.conf, > but it won't load. > My apologies. The above should have stated that: "I have developed an IPFW perl script". Tks. Steve > Any suggestions? -- Steve Bertrand President/CTO, Northumberland Network Services t: 905.352.2688 w: www.northnetworks.ca From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 8 13:52:12 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 543EE16A4CE for ; Mon, 8 Dec 2003 13:52:12 -0800 (PST) Received: from remco.elvandar.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id D993C43D28 for ; Mon, 8 Dec 2003 13:51:55 -0800 (PST) (envelope-from remko@elvandar.org) From: "Remko Lodder" To: Date: Mon, 8 Dec 2003 22:51:54 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: by AMaViS 0.3.12 Message-Id: <20031208215153.7941C2B4D47@remco.elvandar.org> Subject: FW: Perl IPFW script X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 21:52:12 -0000 And one for the ML itself (Forgotten that) Grt Remko -----Oorspronkelijk bericht----- Van: Remko Lodder [mailto:remko@elvandar.org] Verzonden: maandag 8 december 2003 22:51 Aan: iaccounts@northnetworks.ca Onderwerp: RE: Perl IPFW script Steve, "/usr/bin/perl /path/scriptname" ? Is that going to work? is it executable .. etc? Grt Remko -----Oorspronkelijk bericht----- Van: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]Namens Steve Bertrand Verzonden: maandag 8 december 2003 22:40 Aan: freebsd-ipfw@freebsd.org Onderwerp: Perl IPFW script I have recently developed a perl FreeBSD script which works flawlessly when run at the command prompt, but does not run at startup. I have the standard entry for firewall_script="/path/scriptname" in /etc/rc.conf, but it won't load. Any suggestions? -- Steve Bertrand President/CTO, Northumberland Network Services t: 905.352.2688 w: www.northnetworks.ca _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 8 13:55:56 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADDB716A4CE for ; Mon, 8 Dec 2003 13:55:56 -0800 (PST) Received: from mail2.northnetworks.ca (dev.eagle.ca [209.167.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1835943D29 for ; Mon, 8 Dec 2003 13:55:41 -0800 (PST) (envelope-from iaccounts@northnetworks.ca) Received: from [127.0.0.1] (dev.eagle.ca [209.167.58.10]) hB8LqXCn072506; Mon, 8 Dec 2003 16:52:33 -0500 (EST) (envelope-from iaccounts@northnetworks.ca) From: Steve Bertrand To: Remko Lodder In-Reply-To: <20031208215153.7941C2B4D47@remco.elvandar.org> References: <20031208215153.7941C2B4D47@remco.elvandar.org> Content-Type: text/plain Organization: Northumberland Network Services Message-Id: <1070920483.704.169.camel@ptp.northnetworks.ca> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Mon, 08 Dec 2003 16:54:43 -0500 Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: FW: Perl IPFW script X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: iaccounts@northnetworks.ca List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 21:55:56 -0000 > Steve, > > "/usr/bin/perl /path/scriptname" ? Is that going to work? > > is it executable .. > etc? > It is executable, however I will try adding the /usr/bin/perl to the script name and see if that works. I'll have to do that tonight however, as doing it now would knock about 5000 users offline temporarily ;o) Steve > Grt > Remko > > > -----Oorspronkelijk bericht----- > Van: owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org]Namens Steve Bertrand > Verzonden: maandag 8 december 2003 22:40 > Aan: freebsd-ipfw@freebsd.org > Onderwerp: Perl IPFW script > > > I have recently developed a perl FreeBSD script which works flawlessly > when run at the command prompt, but does not run at startup. I have the > standard entry for firewall_script="/path/scriptname" in /etc/rc.conf, > but it won't load. > > Any suggestions? -- Steve Bertrand President/CTO, Northumberland Network Services t: 905.352.2688 w: www.northnetworks.ca From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 8 14:03:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C49FA16A4CE for ; Mon, 8 Dec 2003 14:03:27 -0800 (PST) Received: from remco.elvandar.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEC3E43D25 for ; Mon, 8 Dec 2003 14:03:12 -0800 (PST) (envelope-from remko@elvandar.org) From: "Remko Lodder" To: Date: Mon, 8 Dec 2003 23:03:09 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) In-Reply-To: <20031208215635.3431A2B4D65@remco.elvandar.org> Importance: Normal X-Virus-Scanned: by AMaViS 0.3.12 Message-Id: <20031208220308.B30492B4D50@remco.elvandar.org> cc: freebsd-ipfw@freebsd.org Subject: RE: FW: Perl IPFW script X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 22:03:27 -0000 :-) Always nice those 'tests'.. Ofcourse we want to know whether it helped etc.. Cheers Remko -----Oorspronkelijk bericht----- Van: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]Namens Steve Bertrand Verzonden: maandag 8 december 2003 22:55 Aan: Remko Lodder CC: freebsd-ipfw@freebsd.org Onderwerp: Re: FW: Perl IPFW script > Steve, > > "/usr/bin/perl /path/scriptname" ? Is that going to work? > > is it executable .. > etc? > It is executable, however I will try adding the /usr/bin/perl to the script name and see if that works. I'll have to do that tonight however, as doing it now would knock about 5000 users offline temporarily ;o) Steve > Grt > Remko > > > -----Oorspronkelijk bericht----- > Van: owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org]Namens Steve Bertrand > Verzonden: maandag 8 december 2003 22:40 > Aan: freebsd-ipfw@freebsd.org > Onderwerp: Perl IPFW script > > > I have recently developed a perl FreeBSD script which works flawlessly > when run at the command prompt, but does not run at startup. I have the > standard entry for firewall_script="/path/scriptname" in /etc/rc.conf, > but it won't load. > > Any suggestions? -- Steve Bertrand President/CTO, Northumberland Network Services t: 905.352.2688 w: www.northnetworks.ca _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 8 14:13:50 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 866A116A4CE for ; Mon, 8 Dec 2003 14:13:50 -0800 (PST) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDFD143D1D for ; Mon, 8 Dec 2003 14:13:48 -0800 (PST) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 80B611FF903; Mon, 8 Dec 2003 23:13:46 +0100 (CET) Received: by transport.cksoft.de (Postfix, from userid 66) id E8BDD1FF921; Mon, 8 Dec 2003 23:13:44 +0100 (CET) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id EEDB1154C7; Mon, 8 Dec 2003 22:13:34 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id E49C51538C; Mon, 8 Dec 2003 22:13:34 +0000 (UTC) Date: Mon, 8 Dec 2003 22:13:34 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: Steve Bertrand In-Reply-To: <1070920483.704.169.camel@ptp.northnetworks.ca> Message-ID: References: <20031208215153.7941C2B4D47@remco.elvandar.org> <1070920483.704.169.camel@ptp.northnetworks.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de cc: freebsd-ipfw@freebsd.org cc: Remko Lodder Subject: Re: FW: Perl IPFW script X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 22:13:50 -0000 On Mon, 8 Dec 2003, Steve Bertrand wrote: > > "/usr/bin/perl /path/scriptname" ? Is that going to work? > > > > is it executable .. > > etc? > > > > It is executable, however I will try adding the /usr/bin/perl to the > script name and see if that works. I'll have to do that tonight however, > as doing it now would knock about 5000 users offline temporarily ;o) on current the firewall_script is sourced into /etc/rc.d/ipfw: if [ -r "${firewall_script}" ]; then . "${firewall_script}" a perl script will always make this fail I guess. good luck for your users ;-) -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 8 14:33:16 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7062216A4CE for ; Mon, 8 Dec 2003 14:33:16 -0800 (PST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D23E43D20 for ; Mon, 8 Dec 2003 14:33:15 -0800 (PST) (envelope-from max@love2party.net) Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1ATTwI-0007o9-00 for freebsd-ipfw@freebsd.org; Mon, 08 Dec 2003 23:33:14 +0100 Received: from [217.83.15.109] (helo=vampire.homelinux.org) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1ATTwI-0005MI-00 for freebsd-ipfw@freebsd.org; Mon, 08 Dec 2003 23:33:14 +0100 Received: (qmail 82060 invoked from network); 8 Dec 2003 22:37:17 -0000 Received: from unknown (HELO fbsd52.laiers.local) (192.168.4.88) by 192.168.4.1 with SMTP; 8 Dec 2003 22:37:17 -0000 From: Max Laier To: iaccounts@northnetworks.ca, freebsd-ipfw@freebsd.org Date: Mon, 8 Dec 2003 23:33:12 +0100 User-Agent: KMail/1.5.4 References: <1070919576.704.159.camel@ptp.northnetworks.ca> In-Reply-To: <1070919576.704.159.camel@ptp.northnetworks.ca> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200312082333.12429.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:e28873fbe4dbe612ce62ab869898ff08 Subject: Re: Perl IPFW script X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 22:33:16 -0000 On Monday 08 December 2003 22:39, Steve Bertrand wrote: > I have recently developed a perl FreeBSD script which works flawlessly > when run at the command prompt, but does not run at startup. I have the > standard entry for firewall_script="/path/scriptname" in /etc/rc.conf, > but it won't load. > > Any suggestions? AFAIR rc.d/ipfw does not require "mountall" which means that your /usr partition isn't neccessarly mounted which will make your perlscript fail. sourcing ${firewall_script} in ipfw should not cause problems. $dmesg -a is a nice tool ;) -- Best regards, | max@love2party.net Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | mlaier@EFnet #DragonFlyBSD From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 8 15:02:32 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31F1516A4CE for ; Mon, 8 Dec 2003 15:02:32 -0800 (PST) Received: from tyberius.abccom.bc.ca (tyberius.abccom.bc.ca [204.239.167.97]) by mx1.FreeBSD.org (Postfix) with SMTP id E5E1243D25 for ; Mon, 8 Dec 2003 15:02:30 -0800 (PST) (envelope-from jon@abccom.bc.ca) Received: (qmail 16066 invoked by uid 1000); 8 Dec 2003 23:02:43 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 8 Dec 2003 23:02:43 -0000 Date: Mon, 8 Dec 2003 15:02:43 -0800 (PST) From: Jon Simola To: freebsd-ipfw@freebsd.org In-Reply-To: <007301c3bdd5$28713f60$3200a8c0@CBCOFFICE> Message-ID: <20031208145606.C54324-100000@tyberius.abccom.bc.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: Translate MAC address to IP address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2003 23:02:32 -0000 On Mon, 8 Dec 2003, The Jetman wrote: > Mike: Am I mistaken or can MAC-oriented IPFW2 rules be used along side > IP-oriented rules ? I ask bec I setup a very simple script that would filter > all but a couple of MAC addrs then fwd incoming IPs to an internal web > site. I *thought* I tried all of the reasonable combinations, but I TOO > would like to know more about this. That is, I can filter certain MAC addrs > *OR* I can filter/forward certain IPS, but I can't do both in the same IPFW > script. Later....Jet >From my current ruleset: 00007 deny ip from any to any MAC 00:40:05:2f:03:40 any not mac-type 0x0800 00007 deny ip from any to any MAC any 00:40:05:2f:03:40 not mac-type 0x0800 // MAC conflicting with 208.181.67.113 00011 allow ip from any to any layer2 not mac-type 0x0800 // allow ARP 00017 deny ip from any to any MAC 00:40:05:2f:03:40 any 00017 deny ip from any to any MAC any 00:40:05:2f:03:40 // MAC conflicting with 208.181.67.113 00023 deny icmp from 208.181.67.238 to any // mass pings 00030 deny ip from 208.181.165.59 to any // request for cancelled customer 00030 deny ip from any to 208.181.165.59 I've also in the past used rules specifying both the IP and MAC to disable customers using the wrong IP, but the MAC address filtering just shuts down their machine entirely. Rule 7 denies ARP through the bridge for that mac address, and rule 17 denies all other traffic. I have both so that customers can't poison ARP caches (7), and to make the block happen instantaenously (17). --- Jon Simola | "In the near future - corporate networks Systems Administrator | reach out to the stars, electrons and light ABC Communications | flow throughout the universe." -- GITS From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 8 20:28:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E59FC16A4CE for ; Mon, 8 Dec 2003 20:28:52 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0C5943D2C for ; Mon, 8 Dec 2003 20:28:50 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.24; FreeBSD 5.1) id 1ATZR9-000GeW-3p; Tue, 09 Dec 2003 12:25:27 +0800 Message-Id: <6.0.0.22.2.20031209122902.02a58840@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Tue, 09 Dec 2003 12:32:07 +0800 To: Don Bowman From: Ganbold In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-ipfw@freebsd.org Subject: RE: bridged ipfw problem in FreeBSD 5.2beta X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2003 04:28:53 -0000 Hi, Thank you for all who helped me. It seems that arp packets weren't pass through firewall. I added the rule as don suggested and since then it is working well for last 25 hours. Ganbold At 10:26 PM 05.12.2003, you wrote: >From: Ganbold [mailto:ganbold@micom.mng.net] > > ... bridging firewall ... > > ># Allowing connections through localhost. > >${fwcmd} add 300 pass all from any to any via lo0 > ># pass ARP > >${fwcmd} add 301 pass udp from 0.0.0.0 2054 to 0.0.0.0 > >the comment at least is not right, arp is not udp. > >maybe something like "add 301 allow layer2 mac-type arp" >instead? > >--don From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 9 02:23:03 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA9CE16A4CE for ; Tue, 9 Dec 2003 02:23:03 -0800 (PST) Received: from profi.kharkov.ua (ats36sas-23.kharkov.ukrtel.net [195.5.17.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8321B43D13 for ; Tue, 9 Dec 2003 02:23:01 -0800 (PST) (envelope-from greg@profi.kharkov.ua) Received: by profi.kharkov.ua (Postfix, from userid 1000) id 53DA7142A83; Tue, 9 Dec 2003 12:23:12 +0200 (EET) Date: Tue, 9 Dec 2003 12:23:12 +0200 From: Gregory Edigarov To: freebsd-ipfw@freebsd.org Message-ID: <20031209102312.GB529@profi.kharkov.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: ipfw keep-state (ASAP anwser need) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2003 10:23:04 -0000 Hello, The folowing is a fragment of my rc.firewall which must allow all traffic in and out of my named. ---- ipfw add 4100 allow udp from me to any 53 keep-state ipfw add 4200 allow udp from any to me 53 ipfw add 4300 allow udp from me 53 to any --- This is a fragment from my kernel configuration: --- options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_FORWARD #enable transparent proxy support options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPDIVERT #divert sockets options IPSTEALTH options ICMP_BANDLIM options DUMMYNET options BRIDGE options IPFW2 --- It doesn't work. What am I missing? -- With best regards, Gregory Edigarov ------------------------------------------------------------------------------ profi.kharkov.ua Systems Administrator ------------------------------------------------------------------------------ From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 9 06:04:50 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D350B16A4CE for ; Tue, 9 Dec 2003 06:04:50 -0800 (PST) Received: from mail.1wisp.com (uslec-66-255-6-131.cust.uslec.net [66.255.6.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 020B143D1D for ; Tue, 9 Dec 2003 06:04:49 -0800 (PST) (envelope-from tscrum@1wisp.com) Received: from 1wispadmin ([192.168.1.94]) (authenticated) by mail.1wisp.com (8.11.6/8.11.6) with ESMTP id hB9E4X214293; Tue, 9 Dec 2003 09:04:33 -0500 Message-ID: <01aa01c3be5d$5ff20b80$5e01a8c0@1wispadmin> From: "Thomas S. Crum - 1WISP, Inc." To: "Gregory Edigarov" , References: <20031209102312.GB529@profi.kharkov.ua> Date: Tue, 9 Dec 2003 09:04:34 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: ipfw keep-state (ASAP anwser need) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2003 14:04:50 -0000 If you are using the machine as a bridge, then you must specify the ip address of the inside interface that you are running bind on. Replace "me" with the ip. Best, Tom ----- Original Message ----- From: "Gregory Edigarov" To: Sent: Tuesday, December 09, 2003 5:23 AM Subject: ipfw keep-state (ASAP anwser need) > Hello, > > The folowing is a fragment of my rc.firewall which must > allow all > traffic in and out of my named. > > ---- > ipfw add 4100 allow udp from me to any 53 keep-state > ipfw add 4200 allow udp from any to me 53 > ipfw add 4300 allow udp from me 53 to any > --- > This is a fragment from my kernel configuration: > --- > options IPFIREWALL #firewall > options IPFIREWALL_VERBOSE #enable logging to syslogd(8) > options IPFIREWALL_FORWARD #enable transparent proxy support > options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity > options IPDIVERT #divert sockets > options IPSTEALTH > options ICMP_BANDLIM > options DUMMYNET > options BRIDGE > options IPFW2 > --- > It doesn't work. What am I missing? > > -- > With best regards, > Gregory Edigarov > -------------------------------------------------------------------------- ---- > profi.kharkov.ua Systems Administrator > -------------------------------------------------------------------------- ---- > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 9 21:22:03 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E361616A4CE for ; Tue, 9 Dec 2003 21:22:03 -0800 (PST) Received: from inferno.eagle.ca (inferno.eagle.ca [209.167.16.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4FFA43D1F for ; Tue, 9 Dec 2003 21:22:02 -0800 (PST) (envelope-from iaccounts@northnetworks.ca) Received: from [192.168.250.223] (nnet-di.eagle.ca [209.167.16.12]) by inferno.eagle.ca (8.12.8/8.12.3) with ESMTP id hBA5IkiE015937 for ; Wed, 10 Dec 2003 00:18:47 -0500 (EST) (envelope-from iaccounts@northnetworks.ca) From: Steve Bertrand To: freebsd-ipfw@freebsd.org Content-Type: text/plain Message-Id: <1071033684.25139.1.camel@ptp.northnetworks.ca> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Wed, 10 Dec 2003 00:21:25 -0500 Content-Transfer-Encoding: 7bit Subject: Safe IPFW ruleset X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 05:22:04 -0000 Does anyone have a preferred method for a safe ipfw reload while a few hundred miles away from the server. I have tried a few, but would like some personal experiences. Tks, -- Steve Bertrand President/CTO, Northumberland Network Services t: 905.352.2688 w: www.northnetworks.ca From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 9 21:31:25 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A3EF16A4CE for ; Tue, 9 Dec 2003 21:31:25 -0800 (PST) Received: from tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 5603B43D1F for ; Tue, 9 Dec 2003 21:31:24 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 1879 invoked from network); 10 Dec 2003 05:31:23 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 10 Dec 2003 05:31:23 -0000 Message-ID: <3FD6AFAB.6010505@tenebras.com> Date: Tue, 09 Dec 2003 21:31:23 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Steve Bertrand References: <1071033684.25139.1.camel@ptp.northnetworks.ca> In-Reply-To: <1071033684.25139.1.camel@ptp.northnetworks.ca> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: Safe IPFW ruleset X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 05:31:25 -0000 Steve Bertrand wrote: > Does anyone have a preferred method for a safe ipfw reload while a few > hundred miles away from the server. I have tried a few, but would like > some personal experiences. Use IPFW2 and the atomic swapping of sets. You may also add rules that get matched prior to the current ruleset (in a different set) and diable the original set when convenient. From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 9 21:51:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBFFF16A4CE; Tue, 9 Dec 2003 21:51:26 -0800 (PST) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id 675A143D28; Tue, 9 Dec 2003 21:51:25 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (c-24-6-186-224.client.comcast.net[24.6.186.224]) by comcast.net (sccrmhc13) with ESMTP id <200312100551240160086eome>; Wed, 10 Dec 2003 05:51:24 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hBA5pN43085342; Tue, 9 Dec 2003 21:51:23 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hBA5pLSx085341; Tue, 9 Dec 2003 21:51:21 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Tue, 9 Dec 2003 21:51:21 -0800 From: "Crist J. Clark" To: fbsd_user Message-ID: <20031210055121.GC84766@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-ipfw@freebsd.org cc: "freebsd-questions@FreeBSD. ORG" cc: renaud@waldura.com Subject: Re: FreeBSD IPFW/IPFILTER & sysctl MIB's X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 05:51:27 -0000 On Sun, Dec 07, 2003 at 11:49:42AM -0500, fbsd_user wrote: [snip] How's it goin', fbsd_user? Been a while. > The question is, who get access to the packets first, these MIB's > or the firewall? There is no simple answer to this. The MIB values affect behaviors within the kernel. The important parts of ipfw(8) and ipf(8) are code inside of the kernel. The some of the behavior of ipfw(8) and ipf(8) themselves are controlled by sysctl(8) knobs, net.inet.ip.fw.enable net.inet.ip.fw.one_pass net.inet.ip.fw.debug net.inet.ip.fw.verbose ... net.inet.ipf.fr_flags net.inet.ipf.fr_pass net.inet.ipf.fr_active net.inet.ipf.fr_tcpidletimeout ... Whether a specific entry in the sysctl(8) MIB has an effect felt before a packet gets to ipfw(8) or ipf(8) processing depends on that specific entry. And just because the feature enabled by the sysctl(8) knob occurs after firewall processing does not mean it is useless. Packets that are allowed through the firewall still will be affected by their settings. For example, you set net.inet.tcp.drop_synfin and have a rule like, 02000 pass tcp from any to ${smtpsrv} 25 For your mail server. You do not need to add an explicit drop rule for SYN+FIN packets in your firewall rules (or more likely, you are protected if you forget such a rule). -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 10 01:47:38 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99DA116A4CE for ; Wed, 10 Dec 2003 01:47:38 -0800 (PST) Received: from victor.portal2.com (210-177-227-130.outblaze.com [210.177.227.130]) by mx1.FreeBSD.org (Postfix) with SMTP id 7A6C743D09 for ; Wed, 10 Dec 2003 01:47:36 -0800 (PST) (envelope-from victor@outblaze.com) Received: (qmail 13596 invoked from network); 10 Dec 2003 09:52:53 -0000 Received: from localhost (HELO outblaze.com) (127.0.0.1) by localhost with SMTP; 10 Dec 2003 09:52:53 -0000 Message-ID: <3FD6ECF5.1030200@outblaze.com> Date: Wed, 10 Dec 2003 17:52:53 +0800 From: victor User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en, Chinese/Taiwan, Chinese/China MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: can ipfw do this? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: victor@outblaze.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 09:47:38 -0000 Forgive me if this question has been asked before, I'm totoally new to ipfw. I'm looking forward to setup 'something' to limit the number of connection my smtp box would accept from a single IP address and I pictured firewall would be the most likely candidate. However searching on the web as well as the ipfw howto document I can't seem to find any hints that suggest such feature is available. I wonder if anyone here can kindly offer me some direction as of where I can find some info on this topic. Any tips would be much appreciated. Tor. -- From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 10 02:46:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C885716A4CE for ; Wed, 10 Dec 2003 02:46:17 -0800 (PST) Received: from bjpu.edu.cn (egw.bjpu.edu.cn [202.112.78.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1ADD143D13 for ; Wed, 10 Dec 2003 02:46:16 -0800 (PST) (envelope-from liukang@bjpu.edu.cn) Received: (eyou gateway send program); Wed, 10 Dec 2003 18:52:02 +0800 X-EYOU-ORIGINAL-IP: 202.112.78.224 X-EYOU-ENVELOPE-MAILFROM: liukang@bjpu.edu.cn Received: from unknown (HELO liukang) (unknown@202.112.78.224) by 202.112.78.77 with ; Wed, 10 Dec 2003 18:52:02 +0800 From: "Kang Liu" To: , Date: Wed, 10 Dec 2003 18:46:08 +0800 Message-ID: <007501c3bf0a$d283d860$e04e70ca@bjpu.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 In-Reply-To: <271049355.25780@bjpu.edu.cn> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: RE: can ipfw do this? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 10:46:17 -0000 > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of victor > Sent: Wednesday, December 10, 2003 5:53 PM > To: freebsd-ipfw@freebsd.org > Subject: can ipfw do this? > > > Forgive me if this question has been asked before, I'm > totoally new to > ipfw. I'm looking forward to setup 'something' to limit the > number of > connection my smtp box would accept from a single IP address and I > pictured firewall would be the most likely candidate. > use ipfw with dynamic rules can slove your problem. e.g. ipfw add allow tcp from any to any established ipfw add allow tcp from some_where to my_server_ip server_some_ports limit src-addr num_of_connection_pre_ip setup I suggest you use ipfw1 if it is a production server, there might be some problems in ipfw2 when use dynamic rules. Kang. From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 10 03:04:03 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8559016A4CE for ; Wed, 10 Dec 2003 03:04:03 -0800 (PST) Received: from victor.portal2.com (210-177-227-130.outblaze.com [210.177.227.130]) by mx1.FreeBSD.org (Postfix) with SMTP id A9E4C43D1D for ; Wed, 10 Dec 2003 03:03:39 -0800 (PST) (envelope-from victor@outblaze.com) Received: (qmail 13683 invoked from network); 10 Dec 2003 11:08:57 -0000 Received: from localhost (HELO outblaze.com) (127.0.0.1) by localhost with SMTP; 10 Dec 2003 11:08:57 -0000 Message-ID: <3FD6FEC8.9090307@outblaze.com> Date: Wed, 10 Dec 2003 19:08:56 +0800 From: victor User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en, Chinese/Taiwan, Chinese/China MIME-Version: 1.0 To: Kang Liu References: <007501c3bf0a$d283d860$e04e70ca@bjpu.edu.cn> In-Reply-To: <007501c3bf0a$d283d860$e04e70ca@bjpu.edu.cn> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: can ipfw do this? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: victor@outblaze.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 11:04:04 -0000 Wonderful! thank you very much sir, I will give this a try asap. Tor. Kang Liu wrote: >>-----Original Message----- >>From: owner-freebsd-ipfw@freebsd.org >>[mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of victor >>Sent: Wednesday, December 10, 2003 5:53 PM >>To: freebsd-ipfw@freebsd.org >>Subject: can ipfw do this? >> >> >>Forgive me if this question has been asked before, I'm >>totoally new to >>ipfw. I'm looking forward to setup 'something' to limit the >>number of >>connection my smtp box would accept from a single IP address and I >>pictured firewall would be the most likely candidate. >> >> >> >use ipfw with dynamic rules can slove your problem. >e.g. >ipfw add allow tcp from any to any established >ipfw add allow tcp from some_where to my_server_ip server_some_ports limit src-addr num_of_connection_pre_ip setup > >I suggest you use ipfw1 if it is a production server, >there might be some problems in ipfw2 when use dynamic rules. > >Kang. > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > -- From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 10 13:25:19 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 802F316A4CF for ; Wed, 10 Dec 2003 13:25:19 -0800 (PST) Received: from tequila.4you.lt (tequila.4you.lt [212.122.68.216]) by mx1.FreeBSD.org (Postfix) with SMTP id C12F843D30 for ; Wed, 10 Dec 2003 13:25:15 -0800 (PST) (envelope-from hugle@vkt.lt) Received: (qmail 17803 invoked by uid 0); 10 Dec 2003 21:22:37 -0000 Received: from hugle@vkt.lt by tequila by uid 82 with qmail-scanner-1.20rc1 (. Clear:RC:1:. Processed in 1.056375 secs); 10 Dec 2003 21:22:37 -0000 Received: from unknown (HELO 127.0.0.1) (213.252.192.162) by tequila.4you.lt with SMTP; 10 Dec 2003 21:22:36 -0000 Date: Wed, 10 Dec 2003 13:24:25 -0800 From: hugle X-Mailer: The Bat! (v2.01) X-Priority: 3 (Normal) Message-ID: <118313877361.20031210132425@vkt.lt> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: change ipfw/natd > ipf/ipnat (HELP needed) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hugle List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 21:25:19 -0000 Hello all *BSD users. I have a question here for you. I have a ruleset like : 00200 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6111 00201 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6112 00202 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6113 00203 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6114 00204 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6115 00205 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6116 00206 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6117 00207 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6118 00208 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6119 00210 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 4000 00211 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 7787 00212 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 7777 00213 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 7877 00214 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 7887 00215 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 9990 00216 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 27005 00217 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 27015 00220 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 27500 00221 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 27501 00222 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 27960 00250 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6111 00251 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6112 00252 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6113 00253 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6114 00254 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6115 00255 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6116 00256 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6117 00257 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6118 00258 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6119 00260 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 4000 00261 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 7787 00262 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 7777 00263 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 7877 00264 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 7887 00265 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 9990 00266 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 27005 00267 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 27015 00270 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 27500 00271 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 27501 00272 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 27960 00298 divert 8672 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 53 00299 divert 8672 udp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 53 00301 divert 8672 ip from 192.168.1.120 to not 192.168.0.0/16 00480 fwd 213.252.192.141 ip from 213.252.192.142 to any 00490 divert 8672 ip from any to 213.252.192.142 00501 divert 8686 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 22 00502 divert 8686 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 25 00503 divert 8686 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 80 00504 divert 8686 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 79 00505 divert 8686 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 80 00506 divert 8686 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 81 00507 divert 8686 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 110 00508 divert 8686 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 113 00509 divert 8686 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 443 00510 divert 8686 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 5050 00511 divert 8686 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 5190 00512 divert 8686 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 6667 00513 divert 8686 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 1863 00514 divert 8686 tcp from 192.168.0.0/16 to not 192.168.0.0/16 dst-port 2082 00515 divert 8686 tcp from 192.168.0.0/16 to 213.226.139.46 dst-port 7000 00520 divert 8686 icmp from 192.168.0.0/16 to not 192.168.0.0/16 00798 fwd 213.252.192.161 ip from 213.252.192.162 to any 00799 divert 8686 ip from any to 213.252.192.162 00997 divert 8668 ip from 192.168.0.0/16 to not 192.168.0.0/16 00998 fwd 212.59.9.1 ip from 212.59.9.59 to any 00999 divert 8668 ip from any to 212.59.9.59 in my ipfw, and natd rules: natd -a 212.59.9.59 -p 8668 natd -a 213.252.192.162 -p 8686 natd -a 213.252.192.142 -p 8672 these rules succesfully diverts traffic throught 3 different gateways absed on users destination PORT. Now the question is, how would i translate it to IPF+IPNAT? it is rather difficult to me to do that. so I ask You, to help me to deal with this problem... Since I tried many times to do that.. but the result I came up is that after addind ipf/ipnat rules my PC hangs up after 3-10 minutes ;)) So maybe could someone give me example on how to use 2 gateways using ipfilter? Thank you very much! Jarek From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 10 14:40:56 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55FA216A4CE for ; Wed, 10 Dec 2003 14:40:56 -0800 (PST) Received: from tyberius.abccom.bc.ca (tyberius.abccom.bc.ca [204.239.167.97]) by mx1.FreeBSD.org (Postfix) with SMTP id 3D22743D1F for ; Wed, 10 Dec 2003 14:40:55 -0800 (PST) (envelope-from jon@abccom.bc.ca) Received: (qmail 25439 invoked by uid 1000); 10 Dec 2003 22:41:05 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 10 Dec 2003 22:41:05 -0000 Date: Wed, 10 Dec 2003 14:41:05 -0800 (PST) From: Jon Simola To: freebsd-ipfw@freebsd.org In-Reply-To: <6.0.0.22.2.20031208104708.029d8cc0@202.179.0.80> Message-ID: <20031210141309.Q54324-100000@tyberius.abccom.bc.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: bridged ipfw problem in FreeBSD 5.2beta X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Dec 2003 22:40:56 -0000 On Mon, 8 Dec 2003, Ganbold wrote: > Thanks for reply. How can check bridge collision? Error messages of that type are usually logged to syslog, you might be able to find something in /var/log/messages > One strange thing is even after reboot bridge doesn't work. Traffics > from outside is coming to external interface but there is no traffic > coming to internal interface. No traffic to the internal interface? Do you mean that the bridge is not forwarding traffic, or that your internal interface is not receiving packets from the switch? Try enabling bridge debugging and rebuild the kernel. This will help a lot. diff for /usr/src/sys/net/bridge.c: 197c197 < #define DEB(x) --- > #define DEB(x) x 210c210 < #if 0 /* debugging only */ --- > #if 1 /* debugging only */ > I rebooted several times, even I tried manually restart ipfw like > /etc/rc.d/ipfw restart. That doesn't appear to do anything. The /etc/rc.d/ipfw script looks like a fancy wrapper that twiddles the sysctl net.inet.ip.fw.enable > But no luck. Then I disconnected cable from external card and connected > directly to my switch Cisco 4006 in order to pass all traffic directly > without bridge. It of course worked. Then I disconnected back the cable > and connected again to bridge machine external network card again. It > didn't work. Then I tried to restart ipfw and it worked again luckily. I had a lot of problems similar to this when trying to get my machine in place. The bridging code learns MAC addresses on an interface, and doesn't play nicely when things are changed. When you reboot the bridge, be sure to reboot all the switches, that caused me a lot of confusion when I first started. At the time, I was facing problems with a pair of Intel 82540EM 1000BaseT nics which were doing bad things. I found a PR with a patch that disables hardware checksumming on those cards but haven't had a chance to try them again. --- Jon Simola | "In the near future - corporate networks Systems Administrator | reach out to the stars, electrons and light ABC Communications | flow throughout the universe." -- GITS